From: James Carter <jwcart2@gmail.com>
To: Ondrej Mosnacek <omosnace@redhat.com>
Cc: SElinux list <selinux@vger.kernel.org>
Subject: Re: [RFC PATCH userspace 5/5] semodule: add command-line option to detect module changes
Date: Thu, 20 Jan 2022 17:12:40 -0500 [thread overview]
Message-ID: <CAP+JOzQDn9yHjCf3FY6O1XmKuutj2D5WF8DjwBbCHwdOWqUr2w@mail.gmail.com> (raw)
In-Reply-To: <20220113143935.195125-6-omosnace@redhat.com>
On Thu, Jan 13, 2022 at 6:36 PM Ondrej Mosnacek <omosnace@redhat.com> wrote:
>
> Add a new command-line option "--smart" (for the lack of a better
> name...) to control the newly introduced check_ext_changes libsemanage
> flag.
>
> For example, running `semodule -B --smart` will ensure that any
> externally added/removed modules (e.g. by an RPM transaction) are
> reflected in the compiled policy, while skipping the most expensive part
> of the rebuild if no module change was deteceted since the last
> libsemanage transaction.
>
I tested "semodule -B" followed by "semodule -B --smart" and "semodule
-DB" followed by "semodule -DB --smart" and both worked as expected.
Thanks,
Jim
> Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
> ---
> policycoreutils/semodule/semodule.c | 23 ++++++++++++++++++++---
> 1 file changed, 20 insertions(+), 3 deletions(-)
>
> diff --git a/policycoreutils/semodule/semodule.c b/policycoreutils/semodule/semodule.c
> index a5b71fc4..638edb39 100644
> --- a/policycoreutils/semodule/semodule.c
> +++ b/policycoreutils/semodule/semodule.c
> @@ -47,6 +47,7 @@ static int verbose;
> static int reload;
> static int no_reload;
> static int build;
> +static int check_ext_changes;
> static int disable_dontaudit;
> static int preserve_tunables;
> static int ignore_module_cache;
> @@ -149,6 +150,8 @@ static void usage(char *progname)
> printf(" -c, --cil extract module as cil. This only affects module extraction.\n");
> printf(" -H, --hll extract module as hll. This only affects module extraction.\n");
> printf(" -m, --checksum print module checksum (SHA256).\n");
> + printf(" --smart force policy rebuild if module content changed since\n"
> + " last rebuild (based on checksum)\n");
> }
>
> /* Sets the global mode variable to new_mode, but only if no other
> @@ -180,6 +183,7 @@ static void set_mode(enum client_modes new_mode, char *arg)
> static void parse_command_line(int argc, char **argv)
> {
> static struct option opts[] = {
> + {"smart", 0, NULL, '\0'},
> {"store", required_argument, NULL, 's'},
> {"base", required_argument, NULL, 'b'},
> {"help", 0, NULL, 'h'},
> @@ -207,15 +211,26 @@ static void parse_command_line(int argc, char **argv)
> };
> int extract_selected = 0;
> int cil_hll_set = 0;
> - int i;
> + int i, longind;
> verbose = 0;
> reload = 0;
> no_reload = 0;
> + check_ext_changes = 0;
> priority = 400;
> while ((i =
> - getopt_long(argc, argv, "s:b:hi:l::vr:u:RnNBDCPX:e:d:p:S:E:cHm", opts,
> - NULL)) != -1) {
> + getopt_long(argc, argv, "s:b:hi:l::vr:u:RnNBDCPX:e:d:p:S:E:cHm",
> + opts, &longind)) != -1) {
> switch (i) {
> + case '\0':
> + switch(longind) {
> + case 0: /* --smart */
> + check_ext_changes = 1;
> + break;
> + default:
> + usage(argv[0]);
> + exit(1);
> + }
> + break;
> case 'b':
> fprintf(stderr, "The --base option is deprecated. Use --install instead.\n");
> set_mode(INSTALL_M, optarg);
> @@ -813,6 +828,8 @@ cleanup_disable:
> semanage_set_reload(sh, 0);
> if (build)
> semanage_set_rebuild(sh, 1);
> + if (check_ext_changes)
> + semanage_set_check_ext_changes(sh, 1);
> if (disable_dontaudit)
> semanage_set_disable_dontaudit(sh, 1);
> else if (build)
> --
> 2.34.1
>
prev parent reply other threads:[~2022-01-20 22:12 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-01-13 14:39 [RFC PATCH userspace 0/5] Allow rebuilding policy store only if there were external changes to modules Ondrej Mosnacek
2022-01-13 14:39 ` [RFC PATCH userspace 1/5] libsemanage: add missing include to boolean_record.c Ondrej Mosnacek
2022-01-13 14:39 ` [RFC PATCH userspace 2/5] semodule,libsemanage: move module hashing into libsemanage Ondrej Mosnacek
2022-01-20 21:52 ` James Carter
2022-01-21 13:21 ` Ondrej Mosnacek
2022-01-25 15:17 ` Petr Lautrbach
2022-01-13 14:39 ` [RFC PATCH userspace 3/5] libsemanage: move compressed file handling into a separate object Ondrej Mosnacek
2022-01-20 21:58 ` James Carter
2022-01-13 14:39 ` [RFC PATCH userspace 4/5] libsemanage: optionally rebuild policy when modules are changed externally Ondrej Mosnacek
2022-01-20 22:08 ` James Carter
2022-01-21 13:30 ` Ondrej Mosnacek
2022-01-13 14:39 ` [RFC PATCH userspace 5/5] semodule: add command-line option to detect module changes Ondrej Mosnacek
2022-01-15 17:38 ` Christian Göttsche
2022-01-20 22:10 ` James Carter
2022-01-20 22:12 ` James Carter [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAP+JOzQDn9yHjCf3FY6O1XmKuutj2D5WF8DjwBbCHwdOWqUr2w@mail.gmail.com \
--to=jwcart2@gmail.com \
--cc=omosnace@redhat.com \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.