[PATCH 1/3] checkpolicy: remove a redundant if-condition

[PATCH 1/3] checkpolicy: remove a redundant if-condition

[Masatake YAMATO]

Inner if-condition in following code is redundant:

	if (outfile) {
		/* ... just referring outfile ... */
		if (outfile) {
			do_something();
		}
	}

We can simplify this to:

	if (outfile) {
		/* ... just referring outfile ... */
		do_something();
	}

Signed-off-by: Masatake YAMATO <yamato@redhat.com>
---
 checkpolicy/checkpolicy.c | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/checkpolicy/checkpolicy.c b/checkpolicy/checkpolicy.c
index f928ec06..e18de171 100644
--- a/checkpolicy/checkpolicy.c
+++ b/checkpolicy/checkpolicy.c
@@ -682,9 +682,7 @@ int main(int argc, char **argv)
 			}
 		}
 
-		if (outfile) {
-			fclose(outfp);
-		}
+		fclose(outfp);
 	} else if (cil) {
 		fprintf(stderr, "%s:  No file to write CIL was specified\n", argv[0]);
 		exit(1);
-- 
2.21.0

[PATCH 2/3] checkpolicy: update the description for -o option in the man page

[Masatake YAMATO]

Write about policy.conf and CIL files.

Signed-off-by: Masatake YAMATO <yamato@redhat.com>
---
 checkpolicy/checkpolicy.8 | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/checkpolicy/checkpolicy.8 b/checkpolicy/checkpolicy.8
index 1552f497..db57751c 100644
--- a/checkpolicy/checkpolicy.8
+++ b/checkpolicy/checkpolicy.8
@@ -40,7 +40,8 @@ Enable the MLS policy when checking and compiling the policy.
 Specify the policy version, defaults to the latest.
 .TP
 .B \-o,\-\-output filename
-Write a binary policy file to the specified filename.
+Write a policy file (binary, policy.conf, or CIL policy)
+to the specified filename.
 .TP
 .B \-S,\-\-sort
 Sort ocontexts before writing out the binary policy. This option makes output of checkpolicy consistent with binary policies created by semanage and secilc.
-- 
2.21.0

[PATCH 3/3] checkpolicy: allow to write policy to stdout

[Masatake YAMATO]

If - is given as filename for -o option, checkpolicy
writes the policy to standard output. This helps users
to read policy.conf and/or CIL policy file with pager
like less command:

 $ checkpolicy -M -F -b /sys/fs/selinux/policy  -o - | less

The users don't have to make a temporary file.
/dev/stdout can be used instead. However, - reduces the number of
typing for the purpose. Using - for standard output (and/or standard
input) is popular convention.

Signed-off-by: Masatake YAMATO <yamato@redhat.com>
---
 checkpolicy/checkpolicy.8 |  5 +++--
 checkpolicy/checkpolicy.c | 24 +++++++++++++++++++-----
 2 files changed, 22 insertions(+), 7 deletions(-)

diff --git a/checkpolicy/checkpolicy.8 b/checkpolicy/checkpolicy.8
index db57751c..bdfd6acd 100644
--- a/checkpolicy/checkpolicy.8
+++ b/checkpolicy/checkpolicy.8
@@ -3,7 +3,7 @@
 checkpolicy \- SELinux policy compiler
 .SH SYNOPSIS
 .B checkpolicy
-.I "[\-b[F]] [\-C] [\-d] [\-U handle_unknown (allow,deny,reject)] [\-M] [\-c policyvers] [\-o output_file] [\-S] [\-t target_platform (selinux,xen)] [\-V] [input_file]"
+.I "[\-b[F]] [\-C] [\-d] [\-U handle_unknown (allow,deny,reject)] [\-M] [\-c policyvers] [\-o output_file|\-] [\-S] [\-t target_platform (selinux,xen)] [\-V] [input_file]"
 .br
 .SH "DESCRIPTION"
 This manual page describes the
@@ -41,7 +41,8 @@ Specify the policy version, defaults to the latest.
 .TP
 .B \-o,\-\-output filename
 Write a policy file (binary, policy.conf, or CIL policy)
-to the specified filename.
+to the specified filename. If - is given as filename,
+write it to standard output.
 .TP
 .B \-S,\-\-sort
 Sort ocontexts before writing out the binary policy. This option makes output of checkpolicy consistent with binary policies created by semanage and secilc.
diff --git a/checkpolicy/checkpolicy.c b/checkpolicy/checkpolicy.c
index e18de171..81bd2a9d 100644
--- a/checkpolicy/checkpolicy.c
+++ b/checkpolicy/checkpolicy.c
@@ -112,7 +112,7 @@ static __attribute__((__noreturn__)) void usage(const char *progname)
 {
 	printf
 	    ("usage:  %s [-b[F]] [-C] [-d] [-U handle_unknown (allow,deny,reject)] [-M] "
-	     "[-c policyvers (%d-%d)] [-o output_file] [-S] "
+	     "[-c policyvers (%d-%d)] [-o output_file|-] [-S] "
 	     "[-t target_platform (selinux,xen)] [-V] [input_file]\n",
 	     progname, POLICYDB_VERSION_MIN, POLICYDB_VERSION_MAX);
 	exit(1);
@@ -390,7 +390,8 @@ int main(int argc, char **argv)
 	struct sepol_av_decision avd;
 	class_datum_t *cladatum;
 	const char *file = txtfile;
-	char ans[80 + 1], *outfile = NULL, *path, *fstype;
+	char ans[80 + 1], *path, *fstype;
+	const char *outfile = NULL;
 	size_t scontext_len, pathlen;
 	unsigned int i;
 	unsigned int protocol, port;
@@ -638,9 +639,20 @@ int main(int argc, char **argv)
 	}
 
 	if (outfile) {
-		outfp = fopen(outfile, "w");
+		int use_stdout = !strcmp(outfile, "-");
+		if (use_stdout) {
+			outfp = stdout;
+			outfile = "<STDOUT>";
+		} else {
+			outfp = fopen(outfile, "w");
+		}
+
 		if (!outfp) {
-			perror(outfile);
+			if (use_stdout)
+				fprintf(stderr, "%s: error to use %s\n",
+					argv[0], outfile);
+			else
+				perror(outfile);
 			exit(1);
 		}
 
@@ -682,7 +694,9 @@ int main(int argc, char **argv)
 			}
 		}
 
-		fclose(outfp);
+		if (outfp != stdout) {
+			fclose(outfp);
+		}
 	} else if (cil) {
 		fprintf(stderr, "%s:  No file to write CIL was specified\n", argv[0]);
 		exit(1);
-- 
2.21.0

Re: [PATCH 3/3] checkpolicy: allow to write policy to stdout

[Stephen Smalley]

On 10/17/19 3:05 AM, Masatake YAMATO wrote:
> If - is given as filename for -o option, checkpolicy
> writes the policy to standard output. This helps users
> to read policy.conf and/or CIL policy file with pager
> like less command:
> 
>   $ checkpolicy -M -F -b /sys/fs/selinux/policy  -o - | less
> 
> The users don't have to make a temporary file.
> /dev/stdout can be used instead. However, - reduces the number of
> typing for the purpose. Using - for standard output (and/or standard
> input) is popular convention.
> 
> Signed-off-by: Masatake YAMATO <yamato@redhat.com>
> ---
>   checkpolicy/checkpolicy.8 |  5 +++--
>   checkpolicy/checkpolicy.c | 24 +++++++++++++++++++-----
>   2 files changed, 22 insertions(+), 7 deletions(-)
> 
> diff --git a/checkpolicy/checkpolicy.8 b/checkpolicy/checkpolicy.8
> index db57751c..bdfd6acd 100644
> --- a/checkpolicy/checkpolicy.8
> +++ b/checkpolicy/checkpolicy.8
> @@ -3,7 +3,7 @@
>   checkpolicy \- SELinux policy compiler
>   .SH SYNOPSIS
>   .B checkpolicy
> -.I "[\-b[F]] [\-C] [\-d] [\-U handle_unknown (allow,deny,reject)] [\-M] [\-c policyvers] [\-o output_file] [\-S] [\-t target_platform (selinux,xen)] [\-V] [input_file]"
> +.I "[\-b[F]] [\-C] [\-d] [\-U handle_unknown (allow,deny,reject)] [\-M] [\-c policyvers] [\-o output_file|\-] [\-S] [\-t target_platform (selinux,xen)] [\-V] [input_file]"
>   .br
>   .SH "DESCRIPTION"
>   This manual page describes the
> @@ -41,7 +41,8 @@ Specify the policy version, defaults to the latest.
>   .TP
>   .B \-o,\-\-output filename
>   Write a policy file (binary, policy.conf, or CIL policy)
> -to the specified filename.
> +to the specified filename. If - is given as filename,
> +write it to standard output.
>   .TP
>   .B \-S,\-\-sort
>   Sort ocontexts before writing out the binary policy. This option makes output of checkpolicy consistent with binary policies created by semanage and secilc.
> diff --git a/checkpolicy/checkpolicy.c b/checkpolicy/checkpolicy.c
> index e18de171..81bd2a9d 100644
> --- a/checkpolicy/checkpolicy.c
> +++ b/checkpolicy/checkpolicy.c
> @@ -112,7 +112,7 @@ static __attribute__((__noreturn__)) void usage(const char *progname)
>   {
>   	printf
>   	    ("usage:  %s [-b[F]] [-C] [-d] [-U handle_unknown (allow,deny,reject)] [-M] "
> -	     "[-c policyvers (%d-%d)] [-o output_file] [-S] "
> +	     "[-c policyvers (%d-%d)] [-o output_file|-] [-S] "
>   	     "[-t target_platform (selinux,xen)] [-V] [input_file]\n",
>   	     progname, POLICYDB_VERSION_MIN, POLICYDB_VERSION_MAX);
>   	exit(1);
> @@ -390,7 +390,8 @@ int main(int argc, char **argv)
>   	struct sepol_av_decision avd;
>   	class_datum_t *cladatum;
>   	const char *file = txtfile;
> -	char ans[80 + 1], *outfile = NULL, *path, *fstype;
> +	char ans[80 + 1], *path, *fstype;
> +	const char *outfile = NULL;
>   	size_t scontext_len, pathlen;
>   	unsigned int i;
>   	unsigned int protocol, port;
> @@ -638,9 +639,20 @@ int main(int argc, char **argv)
>   	}
>   
>   	if (outfile) {
> -		outfp = fopen(outfile, "w");
> +		int use_stdout = !strcmp(outfile, "-");
> +		if (use_stdout) {
> +			outfp = stdout;
> +			outfile = "<STDOUT>";
> +		} else {
> +			outfp = fopen(outfile, "w");
> +		}
> +
>   		if (!outfp) {
> -			perror(outfile);
> +			if (use_stdout)
> +				fprintf(stderr, "%s: error to use %s\n",
> +					argv[0], outfile);

This error message doesn't seem especially useful, and it isn't clear to 
me under what conditions this could ever occur.  Do we really need 
special handling of the stdout case here?

Otherwise, this looks good to me.

> +			else
> +				perror(outfile);
>   			exit(1);
>   		}
>   
> @@ -682,7 +694,9 @@ int main(int argc, char **argv)
>   			}
>   		}
>   
> -		fclose(outfp);
> +		if (outfp != stdout) {
> +			fclose(outfp);
> +		}
>   	} else if (cil) {
>   		fprintf(stderr, "%s:  No file to write CIL was specified\n", argv[0]);
>   		exit(1);
>