From: Vit Mojzis <vmojzis@redhat.com>
To: selinux@vger.kernel.org
Subject: [PATCH] python/semanage: Improve handling of "permissive" statements
Date: Fri, 27 Sep 2019 16:13:47 +0200 [thread overview]
Message-ID: <20190927141347.1422-1-vmojzis@redhat.com> (raw)
- Add "customized" method to permissiveRecords which is than used for
"semanage permissive --extract" and "semanage export"
- Enable "semanage permissive --deleteall" (already implemented)
- Add "permissive" to the list of modules exported using
"semanage export"
- Update "semanage permissive" man page
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
---
python/semanage/semanage | 11 ++++++++---
python/semanage/semanage-permissive.8 | 8 +++++++-
python/semanage/seobject.py | 3 +++
3 files changed, 18 insertions(+), 4 deletions(-)
diff --git a/python/semanage/semanage b/python/semanage/semanage
index f4266cef..864f9212 100644
--- a/python/semanage/semanage
+++ b/python/semanage/semanage
@@ -737,6 +737,11 @@ def handlePermissive(args):
if args.action == "list":
OBJECT.list(args.noheading)
+ elif args.action == "deleteall":
+ OBJECT.deleteall()
+ elif args.action == "extract":
+ for i in OBJECT.customized():
+ print("permissive %s" % str(i))
elif args.type is not None:
if args.action == "add":
OBJECT.add(args.type)
@@ -752,9 +757,9 @@ def setupPermissiveParser(subparsers):
pgroup = permissiveParser.add_mutually_exclusive_group(required=True)
parser_add_add(pgroup, "permissive")
parser_add_delete(pgroup, "permissive")
+ parser_add_deleteall(pgroup, "permissive")
+ parser_add_extract(pgroup, "permissive")
parser_add_list(pgroup, "permissive")
- #TODO: probably should be also added => need to implement own option handling
- #parser_add_deleteall(pgroup)
parser_add_noheading(permissiveParser, "permissive")
parser_add_noreload(permissiveParser, "permissive")
@@ -778,7 +783,7 @@ def setupDontauditParser(subparsers):
def handleExport(args):
- manageditems = ["boolean", "login", "interface", "user", "port", "node", "fcontext", "module", "ibendport", "ibpkey"]
+ manageditems = ["boolean", "login", "interface", "user", "port", "node", "fcontext", "module", "ibendport", "ibpkey", "permissive"]
for i in manageditems:
print("%s -D" % i)
for i in manageditems:
diff --git a/python/semanage/semanage-permissive.8 b/python/semanage/semanage-permissive.8
index 1999a451..5c3364fa 100644
--- a/python/semanage/semanage-permissive.8
+++ b/python/semanage/semanage-permissive.8
@@ -2,7 +2,7 @@
.SH "NAME"
.B semanage\-permissive \- SELinux Policy Management permissive mapping tool
.SH "SYNOPSIS"
-.B semanage permissive [\-h] (\-a | \-d | \-l) [\-n] [\-N] [\-S STORE] [type]
+.B semanage permissive [\-h] [\-n] [\-N] [\-S STORE] (\-\-add TYPE | \-\-delete TYPE | \-\-deleteall | \-\-extract | \-\-list)
.SH "DESCRIPTION"
semanage is used to configure certain elements of SELinux policy without requiring modification to or recompilation from policy sources. semanage permissive adds or removes a SELinux Policy permissive module.
@@ -18,9 +18,15 @@ Add a record of the specified object type
.I \-d, \-\-delete
Delete a record of the specified object type
.TP
+.I \-D, \-\-deleteall
+Remove all local customizations of permissive domains
+.TP
.I \-l, \-\-list
List records of the specified object type
.TP
+.I \-E, \-\-extract
+Extract customizable commands, for use within a transaction
+.TP
.I \-n, \-\-noheading
Do not print heading when listing the specified object type
.TP
diff --git a/python/semanage/seobject.py b/python/semanage/seobject.py
index 8586567b..5e9e3eb5 100644
--- a/python/semanage/seobject.py
+++ b/python/semanage/seobject.py
@@ -478,6 +478,9 @@ class permissiveRecords(semanageRecords):
l.append(name.split("permissive_")[1])
return l
+ def customized(self):
+ return ["-a %s" % x for x in sorted(self.get_all())]
+
def list(self, heading=1, locallist=0):
all = [y["name"] for y in [x for x in sepolicy.info(sepolicy.TYPE) if x["permissive"]]]
if len(all) == 0:
--
2.21.0
reply other threads:[~2019-09-27 14:13 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190927141347.1422-1-vmojzis@redhat.com \
--to=vmojzis@redhat.com \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).