[RFC PATCH 2/2] semodule: support changing policyvers via command line

From: Ondrej Mosnacek <omosnace@redhat.com>
To: selinux@vger.kernel.org
Cc: Petr Lautrbach <plautrba@redhat.com>
Subject: [RFC PATCH 2/2] semodule: support changing policyvers via command line
Date: Thu,  6 Feb 2020 14:12:53 +0100	[thread overview]
Message-ID: <20200206131253.535302-3-omosnace@redhat.com> (raw)
In-Reply-To: <20200206131253.535302-1-omosnace@redhat.com>

When using semodule for building a distribution policy package (as
Fedora does), the environment might not have selinuxfs available and
provide no way to modify semanage.conf. When we want to build a policy
with version X (because our kernel doesn't support X+1 and above yet),
but our libsepol already has support for X+1, then we currently have no
way to do so.

To resolve this, add a new command-line argument to semodule, which
allows to override the system-wide configured version to a different
one.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
 policycoreutils/semodule/semodule.8 |  3 +++
 policycoreutils/semodule/semodule.c | 12 +++++++++++-
 2 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/policycoreutils/semodule/semodule.8 b/policycoreutils/semodule/semodule.8
index 18d4f708..88e027fd 100644
--- a/policycoreutils/semodule/semodule.8
+++ b/policycoreutils/semodule/semodule.8
@@ -64,6 +64,9 @@ A module is extracted as HLL by default. The name of the module written is
 <module-name>.<lang_ext>
 .SH "OPTIONS"
 .TP
+.B  \-V,\-\-policyvers
+force specific kernel policy version
+.TP
 .B  \-s,\-\-store
 name of the store to operate on
 .TP
diff --git a/policycoreutils/semodule/semodule.c b/policycoreutils/semodule/semodule.c
index a1f75e16..30c4495b 100644
--- a/policycoreutils/semodule/semodule.c
+++ b/policycoreutils/semodule/semodule.c
@@ -50,6 +50,8 @@ static int build;
 static int disable_dontaudit;
 static int preserve_tunables;
 static int ignore_module_cache;
+static unsigned policyvers;
+static int policyvers_set = 0;
 static uint16_t priority;
 static int priority_set = 0;
 
@@ -137,6 +139,7 @@ static void usage(char *progname)
 	printf("  -d,--disable=MODULE_NAME  disable module\n");
 	printf("  -E,--extract=MODULE_NAME  extract module\n");
 	printf("Options:\n");
+	printf("  -V,--policyvers  force specific kernel policy version\n");
 	printf("  -s,--store	   name of the store to operate on\n");
 	printf("  -N,-n,--noreload do not reload policy after commit\n");
 	printf("  -h,--help        print this message and quit\n");
@@ -210,7 +213,7 @@ static void parse_command_line(int argc, char **argv)
 	no_reload = 0;
 	priority = 400;
 	while ((i =
-		getopt_long(argc, argv, "s:b:hi:l::vr:u:RnNBDCPX:e:d:p:S:E:cH", opts,
+		getopt_long(argc, argv, "V:s:b:hi:l::vr:u:RnNBDCPX:e:d:p:S:E:cH", opts,
 			    NULL)) != -1) {
 		switch (i) {
 		case 'b':
@@ -248,6 +251,10 @@ static void parse_command_line(int argc, char **argv)
 			fprintf(stderr, "The --upgrade option is deprecated. Use --install instead.\n");
 			set_mode(INSTALL_M, optarg);
 			break;
+		case 'V':
+			policyvers = (unsigned)strtoul(optarg, NULL, 10);
+			policyvers_set = 1;
+			break;
 		case 's':
 			set_store(optarg);
 			break;
@@ -363,6 +370,9 @@ int main(int argc, char *argv[])
 		goto cleanup_nohandle;
 	}
 
+	if (policyvers_set)
+		semanage_set_policyvers(sh, policyvers);
+
 	if (store) {
 		/* Set the store we want to connect to, before connecting.
 		 * this will always set a direct connection now, an additional
-- 
2.24.1

