forcing old genfscon behavior for time being

matt-sheets · matt-sheets · commit bfe3f8816023 · 2022-12-02T08:09:47.000-07:00
diff --git a/data/expected_cil/fs_context.cil b/data/expected_cil/fs_context.cil
@@ -109,9 +109,6 @@
 (handleunknown allow)
 (typeattribute domain)
 (typeattribute resource)
-(type bar)
-(roletype object_r bar)
-(typeattributeset resource (bar))
 (type foo)
 (roletype object_r foo)
 (typeattributeset resource (foo))
@@ -130,8 +127,6 @@
 (fsuse trans tmpfs (system_u object_r foo ((s0) (s0))))
 (genfscon cgroup "/" (system_u object_r foo ((s0) (s0))))
 (genfscon proc "/" (system_u object_r foo ((s0) (s0))))
-(genfscon sysfs "/zap" dir (system_u object_r foo ((s0) (s0))))
-(genfscon sysfs "/zap/baa" file (system_u object_r bar ((s0) (s0))))
 (sid kernel)
 (sidcontext kernel (system_u system_r kernel_sid ((s0) (s0))))
 (sid security)
diff --git a/data/policies/fs_context.cas b/data/policies/fs_context.cas
@@ -7,12 +7,14 @@ resource foo {
     fs_context(this, "proc", genfscon, "/");
     fs_context(this, "proc", genfscon, "/");
     fs_context(this, "cgroup", genfscon);
-    fs_context(this, "sysfs", genfscon, "/zap", [dir]);
+    // TODO re-add when secilc check is in place
+    // fs_context(this, "sysfs", genfscon, "/zap", [dir]);
 
 	// Policies must include at least one av rule
 	allow(domain, foo, file, [read]);
 }
 
-resource bar {
-    fs_context(this, "sysfs", genfscon, "/zap/baa", [file]);
-}
+// TODO re-add when secilc check is in place
+// resource bar {
+//    fs_context(this, "sysfs", genfscon, "/zap/baa", [file]);
+//}
diff --git a/src/internal_rep.rs b/src/internal_rep.rs
@@ -1404,28 +1404,37 @@ impl From<&FileSystemContextRule<'_>> for sexp::Sexp {
                 Sexp::from(&f.context),
             ]),
             FSContextType::GenFSCon => {
-                // Since path is an optional arg and I dont want to get
+                // Since path is an optional arg and I don't want to get
                 // into unwrap issue we are doing an 'if let' here.  The lack
-                // of path should be caught ealier, so if we dont have a path
+                // of path should be caught earlier, so if we don't have a path
                 // we will return an empty list.  The more correct way to fix this
                 // is convert this to a try_from, but this causes issues with some
                 // of our match statements and mixing returns.
                 if let Some(p) = &f.path {
-                    match &f.file_type {
-                        Some(file_type) => list(&[
-                            atom_s("genfscon"),
-                            atom_s(f.fs_name.trim_matches('"')),
-                            atom_s(p.as_ref()),
-                            Sexp::Atom(Atom::S(file_type.to_string())),
-                            Sexp::from(&f.context),
-                        ]),
-                        None => list(&[
-                            atom_s("genfscon"),
-                            atom_s(f.fs_name.trim_matches('"')),
-                            atom_s(p.as_ref()),
-                            Sexp::from(&f.context),
-                        ]),
+                    if let Some(file_type) = &f.file_type {
+                        // TODO add secilc check here. Right now our github pipeline
+                        // supports an older version of secilc.  So to get things moving forward
+                        // we are forcing the old behavior.  The new behavior has been tested locally.
+                        // REMEMBER TO UPDATE THE TESTS
+                        // if secilc/libsepol version is new enough {
+                        if false {
+                            return list(&[
+                                atom_s("genfscon"),
+                                atom_s(f.fs_name.trim_matches('"')),
+                                atom_s(p.as_ref()),
+                                Sexp::Atom(Atom::S(file_type.to_string())),
+                                Sexp::from(&f.context),
+                            ]);
+                        }
                     }
+                    // We are purposefully falling through without an else to
+                    // reduce redundant lines of code
+                    list(&[
+                        atom_s("genfscon"),
+                        atom_s(f.fs_name.trim_matches('"')),
+                        atom_s(p.as_ref()),
+                        Sexp::from(&f.context),
+                    ])
                 } else {
                     list(&[])
                 }
diff --git a/src/lib.rs b/src/lib.rs
@@ -1147,8 +1147,9 @@ mod tests {
                 "fsuse task sockfs (system_u object_r foo ((s0) (s0)))",
                 "fsuse trans tmpfs (system_u object_r foo ((s0) (s0)))",
                 "genfscon proc \"/\" (system_u object_r foo ((s0) (s0)))",
-                "genfscon sysfs \"/zap\" dir (system_u object_r foo ((s0) (s0)))",
-                "genfscon sysfs \"/zap/baa\" file (system_u object_r bar ((s0) (s0)))",
+                // TODO re-add when secilc check is in place
+                // "genfscon sysfs \"/zap\" dir (system_u object_r foo ((s0) (s0)))",
+                // "genfscon sysfs \"/zap/baa\" file (system_u object_r bar ((s0) (s0)))",
                 "genfscon cgroup \"/\" (system_u object_r foo ((s0) (s0)))",
             ],
             &[],
