* secilc genfscon parsing error
@ 2022-11-23 15:53 Matthew Sheets
2022-11-23 16:15 ` James Carter
2022-11-23 18:10 ` Dominick Grift
0 siblings, 2 replies; 6+ messages in thread
From: Matthew Sheets @ 2022-11-23 15:53 UTC (permalink / raw)
To: SELinux
Hi,
I am seeing a parsing error from secilc when trying to compile the
following line:
(genfscon sysfs "/zap" file (system_u object_r foo ((s0) (s0))))
But according to the documentation here:
https://github.com/SELinuxProject/selinux/blob/master/secilc/docs/cil_file_labeling_statements.md#genfscon
I believe this should be a valid line.
The compiler error given is:
Invalid syntax
Bad genfscon declaration at out.cil:129
Failed to build AST
Failed to compile cildb: -1
If I remove the file keyword everything compiles correctly.
Other interesting points of data:
In ref policy there is the following line in selinux.te
genfscon selinuxfs /booleans/ -- gen_context(system_u:object_r:boolean_t,s0)
When compiling this to cil with checkpolicy the following line is produced:
(genfscon selinuxfs "/booleans/" (system_u object_r boolean_t (systemlow
systemlow)))
Which has no reference to the optional file_type field.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: secilc genfscon parsing error
2022-11-23 15:53 secilc genfscon parsing error Matthew Sheets
@ 2022-11-23 16:15 ` James Carter
2022-11-23 17:06 ` Matthew Sheets
2022-11-23 18:10 ` Dominick Grift
1 sibling, 1 reply; 6+ messages in thread
From: James Carter @ 2022-11-23 16:15 UTC (permalink / raw)
To: Matthew Sheets; +Cc: SELinux
On Wed, Nov 23, 2022 at 10:55 AM Matthew Sheets
<masheets@linux.microsoft.com> wrote:
>
> Hi,
>
> I am seeing a parsing error from secilc when trying to compile the
> following line:
> (genfscon sysfs "/zap" file (system_u object_r foo ((s0) (s0))))
>
> But according to the documentation here:
> https://github.com/SELinuxProject/selinux/blob/master/secilc/docs/cil_file_labeling_statements.md#genfscon
> I believe this should be a valid line.
>
> The compiler error given is:
> Invalid syntax
> Bad genfscon declaration at out.cil:129
> Failed to build AST
> Failed to compile cildb: -1
>
> If I remove the file keyword everything compiles correctly.
>
> Other interesting points of data:
>
> In ref policy there is the following line in selinux.te
> genfscon selinuxfs /booleans/ -- gen_context(system_u:object_r:boolean_t,s0)
>
> When compiling this to cil with checkpolicy the following line is produced:
> (genfscon selinuxfs "/booleans/" (system_u object_r boolean_t (systemlow
> systemlow)))
> Which has no reference to the optional file_type field.
CIL did not properly handle the optional file type until a year ago.
The SELinux userspace version 3.4, released last May, would be the
only one that has the fix.
Your rule will work with the latest release.
Thanks,
Jim
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: secilc genfscon parsing error
2022-11-23 16:15 ` James Carter
@ 2022-11-23 17:06 ` Matthew Sheets
0 siblings, 0 replies; 6+ messages in thread
From: Matthew Sheets @ 2022-11-23 17:06 UTC (permalink / raw)
To: James Carter; +Cc: SELinux
On 11/23/2022 9:15 AM, James Carter wrote:
> On Wed, Nov 23, 2022 at 10:55 AM Matthew Sheets
> <masheets@linux.microsoft.com> wrote:
>>
>> Hi,
>>
>> I am seeing a parsing error from secilc when trying to compile the
>> following line:
>> (genfscon sysfs "/zap" file (system_u object_r foo ((s0) (s0))))
>>
>> But according to the documentation here:
>> https://github.com/SELinuxProject/selinux/blob/master/secilc/docs/cil_file_labeling_statements.md#genfscon
>> I believe this should be a valid line.
>>
>> The compiler error given is:
>> Invalid syntax
>> Bad genfscon declaration at out.cil:129
>> Failed to build AST
>> Failed to compile cildb: -1
>>
>> If I remove the file keyword everything compiles correctly.
>>
>> Other interesting points of data:
>>
>> In ref policy there is the following line in selinux.te
>> genfscon selinuxfs /booleans/ -- gen_context(system_u:object_r:boolean_t,s0)
>>
>> When compiling this to cil with checkpolicy the following line is produced:
>> (genfscon selinuxfs "/booleans/" (system_u object_r boolean_t (systemlow
>> systemlow)))
>> Which has no reference to the optional file_type field.
>
> CIL did not properly handle the optional file type until a year ago.
> The SELinux userspace version 3.4, released last May, would be the
> only one that has the fix.
> Your rule will work with the latest release.
>
> Thanks,
> Jim
Hi Jim,
I pulled the newest master (fb7f35495fbad468d6efa76c5fed727659903038)
rebuilt & installed the whole selinux repo and I am seeing the same issue.
I also made the following change:
diff --git a/secilc/test/policy.cil b/secilc/test/policy.cil
index e6b78618..1bcac523 100644
--- a/secilc/test/policy.cil
+++ b/secilc/test/policy.cil
@@ -279,7 +279,7 @@
(portcon tcp 22 system_u_bin_t_l2h)
(portcon dccp (2048 2096) system_u_bin_t_l2h)
(portcon sctp (1024 1035) system_u_bin_t_l2h)
- (genfscon - "/usr/bin" system_u_bin_t_l2h)
+ (genfscon - "/usr/bin" file system_u_bin_t_l2h)
(netifcon eth0 system_u_bin_t_l2h system_u_bin_t_l2h)
;different contexts?
(fsuse xattr ext3 system_u_bin_t_l2h)
And ran 'make test' in the secilc directory and saw the same error in
the previous email.
Is there possibly something else I am missing in my environment?
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: secilc genfscon parsing error
2022-11-23 15:53 secilc genfscon parsing error Matthew Sheets
2022-11-23 16:15 ` James Carter
@ 2022-11-23 18:10 ` Dominick Grift
2022-11-23 18:13 ` Dominick Grift
1 sibling, 1 reply; 6+ messages in thread
From: Dominick Grift @ 2022-11-23 18:10 UTC (permalink / raw)
To: Matthew Sheets; +Cc: SELinux
Matthew Sheets <masheets@linux.microsoft.com> writes:
> Hi,
>
> I am seeing a parsing error from secilc when trying to compile the
> following line:
> (genfscon sysfs "/zap" file (system_u object_r foo ((s0) (s0))))
Works fine here (unless i am overlooking something:
root@brutus:~# cat > mytest.cil <<EOF
> (blockinherit .sysfile.base_template)
> EOF
root@brutus:~# cat > mytest.cil <<EOF
> (block foo (blockinherit .sysfile.base_template) (genfscon "/foo" file sysfile_context))
> EOF
root@brutus:~# semodule -i mytest.cil
root@brutus:~# echo $?
0
root@brutus:~# seinfo --genfscon | grep foo
genfscon /foo file sys.id:sys.role:foo.sysfile:s0
root@brutus:~#
>
> But according to the documentation here:
> https://github.com/SELinuxProject/selinux/blob/master/secilc/docs/cil_file_labeling_statements.md#genfscon
> I believe this should be a valid line.
>
> The compiler error given is:
> Invalid syntax
> Bad genfscon declaration at out.cil:129
> Failed to build AST
> Failed to compile cildb: -1
>
> If I remove the file keyword everything compiles correctly.
>
> Other interesting points of data:
>
> In ref policy there is the following line in selinux.te
> genfscon selinuxfs /booleans/ -- gen_context(system_u:object_r:boolean_t,s0)
>
> When compiling this to cil with checkpolicy the following line is produced:
> (genfscon selinuxfs "/booleans/" (system_u object_r boolean_t
> (systemlow systemlow)))
> Which has no reference to the optional file_type field.
>
--
gpg --locate-keys dominick.grift@defensec.nl
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098
Dominick Grift
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: secilc genfscon parsing error
2022-11-23 18:10 ` Dominick Grift
@ 2022-11-23 18:13 ` Dominick Grift
2022-11-23 18:29 ` Matthew Sheets
0 siblings, 1 reply; 6+ messages in thread
From: Dominick Grift @ 2022-11-23 18:13 UTC (permalink / raw)
To: Matthew Sheets; +Cc: SELinux
Dominick Grift <dominick.grift@defensec.nl> writes:
Whoops that was wrong (not sure why that worked), this should be ok
(still works):
root@brutus:~# cat > mytest.cil <<EOF
(block foo (blockinherit .sysfile.base_template) (genfscon sysfs "/foo" file sysfile_context))
EOF
root@brutus:~# semodule -i mytest.cil
root@brutus:~# seinfo --genfscon | grep foo
genfscon sysfs /foo -- sys.id:sys.role:foo.sysfile:s0
root@brutus:~#
> Matthew Sheets <masheets@linux.microsoft.com> writes:
>
>> Hi,
>>
>> I am seeing a parsing error from secilc when trying to compile the
>> following line:
>> (genfscon sysfs "/zap" file (system_u object_r foo ((s0) (s0))))
>
> Works fine here (unless i am overlooking something:
>
> root@brutus:~# cat > mytest.cil <<EOF
>> (blockinherit .sysfile.base_template)
>> EOF
> root@brutus:~# cat > mytest.cil <<EOF
>> (block foo (blockinherit .sysfile.base_template) (genfscon "/foo" file sysfile_context))
>> EOF
> root@brutus:~# semodule -i mytest.cil
> root@brutus:~# echo $?
> 0
> root@brutus:~# seinfo --genfscon | grep foo
> genfscon /foo file sys.id:sys.role:foo.sysfile:s0
> root@brutus:~#
>
>>
>> But according to the documentation here:
>> https://github.com/SELinuxProject/selinux/blob/master/secilc/docs/cil_file_labeling_statements.md#genfscon
>> I believe this should be a valid line.
>>
>> The compiler error given is:
>> Invalid syntax
>> Bad genfscon declaration at out.cil:129
>> Failed to build AST
>> Failed to compile cildb: -1
>>
>> If I remove the file keyword everything compiles correctly.
>>
>> Other interesting points of data:
>>
>> In ref policy there is the following line in selinux.te
>> genfscon selinuxfs /booleans/ -- gen_context(system_u:object_r:boolean_t,s0)
>>
>> When compiling this to cil with checkpolicy the following line is produced:
>> (genfscon selinuxfs "/booleans/" (system_u object_r boolean_t
>> (systemlow systemlow)))
>> Which has no reference to the optional file_type field.
>>
--
gpg --locate-keys dominick.grift@defensec.nl
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098
Dominick Grift
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: secilc genfscon parsing error
2022-11-23 18:13 ` Dominick Grift
@ 2022-11-23 18:29 ` Matthew Sheets
0 siblings, 0 replies; 6+ messages in thread
From: Matthew Sheets @ 2022-11-23 18:29 UTC (permalink / raw)
To: Dominick Grift; +Cc: SELinux
On 11/23/2022 11:13 AM, Dominick Grift wrote:
> Dominick Grift <dominick.grift@defensec.nl> writes:
>
> Whoops that was wrong (not sure why that worked), this should be ok
> (still works):
>
> root@brutus:~# cat > mytest.cil <<EOF
>
> (block foo (blockinherit .sysfile.base_template) (genfscon sysfs "/foo" file sysfile_context))
>
> EOF
> root@brutus:~# semodule -i mytest.cil
> root@brutus:~# seinfo --genfscon | grep foo
> genfscon sysfs /foo -- sys.id:sys.role:foo.sysfile:s0
> root@brutus:~#
>
>> Matthew Sheets <masheets@linux.microsoft.com> writes:
>>
>>> Hi,
>>>
>>> I am seeing a parsing error from secilc when trying to compile the
>>> following line:
>>> (genfscon sysfs "/zap" file (system_u object_r foo ((s0) (s0))))
>>
>> Works fine here (unless i am overlooking something:
>>
>> root@brutus:~# cat > mytest.cil <<EOF
>>> (blockinherit .sysfile.base_template)
>>> EOF
>> root@brutus:~# cat > mytest.cil <<EOF
>>> (block foo (blockinherit .sysfile.base_template) (genfscon "/foo" file sysfile_context))
>>> EOF
>> root@brutus:~# semodule -i mytest.cil
>> root@brutus:~# echo $?
>> 0
>> root@brutus:~# seinfo --genfscon | grep foo
>> genfscon /foo file sys.id:sys.role:foo.sysfile:s0
>> root@brutus:~#
>>
>>>
>>> But according to the documentation here:
>>> https://github.com/SELinuxProject/selinux/blob/master/secilc/docs/cil_file_labeling_statements.md#genfscon
>>> I believe this should be a valid line.
>>>
>>> The compiler error given is:
>>> Invalid syntax
>>> Bad genfscon declaration at out.cil:129
>>> Failed to build AST
>>> Failed to compile cildb: -1
>>>
>>> If I remove the file keyword everything compiles correctly.
>>>
>>> Other interesting points of data:
>>>
>>> In ref policy there is the following line in selinux.te
>>> genfscon selinuxfs /booleans/ -- gen_context(system_u:object_r:boolean_t,s0)
>>>
>>> When compiling this to cil with checkpolicy the following line is produced:
>>> (genfscon selinuxfs "/booleans/" (system_u object_r boolean_t
>>> (systemlow systemlow)))
>>> Which has no reference to the optional file_type field.
>>>
>
I figured it out. I had two versions of libsepol.so and was linking to
the older one. Thanks for the help.
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2022-11-23 18:29 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-11-23 15:53 secilc genfscon parsing error Matthew Sheets
2022-11-23 16:15 ` James Carter
2022-11-23 17:06 ` Matthew Sheets
2022-11-23 18:10 ` Dominick Grift
2022-11-23 18:13 ` Dominick Grift
2022-11-23 18:29 ` Matthew Sheets
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).