* [PATCH 0/5] dispol: add batch execution mode
@ 2019-10-08 6:44 Masatake YAMATO
2019-10-08 6:44 ` [PATCH 1/5] dispol: extend usage() to take error code as an argument Masatake YAMATO
` (6 more replies)
0 siblings, 7 replies; 12+ messages in thread
From: Masatake YAMATO @ 2019-10-08 6:44 UTC (permalink / raw)
To: selinux; +Cc: yamato
dispol command requires interaction, and is not suitable for using
in a script. This patch set introduces -b that is for running
dispol in non-interactively.
An example:
$ ./dispol -b 1 /sys/fs/selinux/policy
allow deltacloudd_log_t tmp_t : filesystem { associate };
allow kern_unconfined sysctl_type : lnk_file { ioctl read ...
...
Masatake YAMATO (5):
dispol: extend usage() to take exit status
dispol: add an option for printing the command usage
dispol: introduce a local variable representing the input file
dispol: introduce -b option to run commands in batch
dispol: add the list of commands for batch mode to help message
checkpolicy/test/dispol.c | 96 ++++++++++++++++++++++++++++-----------
1 file changed, 69 insertions(+), 27 deletions(-)
--
2.21.0
^ permalink raw reply [flat|nested] 12+ messages in thread
* [PATCH 1/5] dispol: extend usage() to take error code as an argument
2019-10-08 6:44 [PATCH 0/5] dispol: add batch execution mode Masatake YAMATO
@ 2019-10-08 6:44 ` Masatake YAMATO
2019-10-08 6:44 ` [PATCH 1/5] dispol: extend usage() to take exit status Masatake YAMATO
` (5 subsequent siblings)
6 siblings, 0 replies; 12+ messages in thread
From: Masatake YAMATO @ 2019-10-08 6:44 UTC (permalink / raw)
To: selinux; +Cc: yamato
This allows dispol command to exit successfully after
printing help messages.
Signed-off-by: Masatake YAMATO <yamato@redhat.com>
---
checkpolicy/test/dispol.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/checkpolicy/test/dispol.c b/checkpolicy/test/dispol.c
index d72d9fb3..1d9556f4 100644
--- a/checkpolicy/test/dispol.c
+++ b/checkpolicy/test/dispol.c
@@ -36,10 +36,11 @@
static policydb_t policydb;
-static __attribute__((__noreturn__)) void usage(const char *progname)
+static __attribute__((__noreturn__)) void usage(const char *progname,
+ int status)
{
printf("usage: %s binary_pol_file\n\n", progname);
- exit(1);
+ exit(status);
}
int render_access_mask(uint32_t mask, avtab_key_t * key, policydb_t * p,
@@ -395,7 +396,7 @@ int main(int argc, char **argv)
struct policy_file pf;
if (argc != 2)
- usage(argv[0]);
+ usage(argv[0], 1);
fd = open(argv[1], O_RDONLY);
if (fd < 0) {
--
2.21.0
^ permalink raw reply related [flat|nested] 12+ messages in thread
* [PATCH 1/5] dispol: extend usage() to take exit status
2019-10-08 6:44 [PATCH 0/5] dispol: add batch execution mode Masatake YAMATO
2019-10-08 6:44 ` [PATCH 1/5] dispol: extend usage() to take error code as an argument Masatake YAMATO
@ 2019-10-08 6:44 ` Masatake YAMATO
2019-10-08 14:03 ` Stephen Smalley
2019-10-08 6:44 ` [PATCH 2/5] dispol: add an option for printing the command usage Masatake YAMATO
` (4 subsequent siblings)
6 siblings, 1 reply; 12+ messages in thread
From: Masatake YAMATO @ 2019-10-08 6:44 UTC (permalink / raw)
To: selinux; +Cc: yamato
Signed-off-by: Masatake YAMATO <yamato@redhat.com>
---
checkpolicy/test/dispol.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/checkpolicy/test/dispol.c b/checkpolicy/test/dispol.c
index d72d9fb3..6c4829c4 100644
--- a/checkpolicy/test/dispol.c
+++ b/checkpolicy/test/dispol.c
@@ -36,10 +36,10 @@
static policydb_t policydb;
-static __attribute__((__noreturn__)) void usage(const char *progname)
+static __attribute__((__noreturn__)) void usage(const char *progname, int status)
{
printf("usage: %s binary_pol_file\n\n", progname);
- exit(1);
+ exit(status);
}
int render_access_mask(uint32_t mask, avtab_key_t * key, policydb_t * p,
@@ -395,7 +395,7 @@ int main(int argc, char **argv)
struct policy_file pf;
if (argc != 2)
- usage(argv[0]);
+ usage(argv[0], 1);
fd = open(argv[1], O_RDONLY);
if (fd < 0) {
--
2.21.0
^ permalink raw reply related [flat|nested] 12+ messages in thread
* [PATCH 2/5] dispol: add an option for printing the command usage
2019-10-08 6:44 [PATCH 0/5] dispol: add batch execution mode Masatake YAMATO
2019-10-08 6:44 ` [PATCH 1/5] dispol: extend usage() to take error code as an argument Masatake YAMATO
2019-10-08 6:44 ` [PATCH 1/5] dispol: extend usage() to take exit status Masatake YAMATO
@ 2019-10-08 6:44 ` Masatake YAMATO
2019-10-09 14:41 ` [Non-DoD Source] " Stephen Smalley
2019-10-08 6:44 ` [PATCH 3/5] dispol: introduce a local variable representing the input file Masatake YAMATO
` (3 subsequent siblings)
6 siblings, 1 reply; 12+ messages in thread
From: Masatake YAMATO @ 2019-10-08 6:44 UTC (permalink / raw)
To: selinux; +Cc: yamato
Signed-off-by: Masatake YAMATO <yamato@redhat.com>
---
checkpolicy/test/dispol.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/checkpolicy/test/dispol.c b/checkpolicy/test/dispol.c
index 1d9556f4..37b22cf8 100644
--- a/checkpolicy/test/dispol.c
+++ b/checkpolicy/test/dispol.c
@@ -39,7 +39,7 @@ static policydb_t policydb;
static __attribute__((__noreturn__)) void usage(const char *progname,
int status)
{
- printf("usage: %s binary_pol_file\n\n", progname);
+ printf("usage: %s [-h] binary_pol_file\n\n", progname);
exit(status);
}
@@ -395,7 +395,11 @@ int main(int argc, char **argv)
int state;
struct policy_file pf;
- if (argc != 2)
+ if (argc <= 1)
+ usage(argv[0], 1);
+ else if (strcmp(argv[1], "-h") == 0)
+ usage(argv[0], 0);
+ else if (argc != 2)
usage(argv[0], 1);
fd = open(argv[1], O_RDONLY);
--
2.21.0
^ permalink raw reply related [flat|nested] 12+ messages in thread
* [PATCH 3/5] dispol: introduce a local variable representing the input file
2019-10-08 6:44 [PATCH 0/5] dispol: add batch execution mode Masatake YAMATO
` (2 preceding siblings ...)
2019-10-08 6:44 ` [PATCH 2/5] dispol: add an option for printing the command usage Masatake YAMATO
@ 2019-10-08 6:44 ` Masatake YAMATO
2019-10-08 6:44 ` [PATCH 4/5] dispol: introduce -b option to run commands in batch Masatake YAMATO
` (2 subsequent siblings)
6 siblings, 0 replies; 12+ messages in thread
From: Masatake YAMATO @ 2019-10-08 6:44 UTC (permalink / raw)
To: selinux; +Cc: yamato
Signed-off-by: Masatake YAMATO <yamato@redhat.com>
---
checkpolicy/test/dispol.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/checkpolicy/test/dispol.c b/checkpolicy/test/dispol.c
index 37b22cf8..26bbba7a 100644
--- a/checkpolicy/test/dispol.c
+++ b/checkpolicy/test/dispol.c
@@ -394,6 +394,7 @@ int main(int argc, char **argv)
char *name;
int state;
struct policy_file pf;
+ char *pf_name;
if (argc <= 1)
usage(argv[0], 1);
@@ -401,23 +402,24 @@ int main(int argc, char **argv)
usage(argv[0], 0);
else if (argc != 2)
usage(argv[0], 1);
+ pf_name = argv[1];
- fd = open(argv[1], O_RDONLY);
+ fd = open(pf_name, O_RDONLY);
if (fd < 0) {
fprintf(stderr, "Can't open '%s': %s\n",
- argv[1], strerror(errno));
+ pf_name, strerror(errno));
exit(1);
}
if (fstat(fd, &sb) < 0) {
fprintf(stderr, "Can't stat '%s': %s\n",
- argv[1], strerror(errno));
+ pf_name, strerror(errno));
exit(1);
}
map =
mmap(NULL, sb.st_size, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0);
if (map == MAP_FAILED) {
fprintf(stderr, "Can't map '%s': %s\n",
- argv[1], strerror(errno));
+ pf_name, strerror(errno));
exit(1);
}
--
2.21.0
^ permalink raw reply related [flat|nested] 12+ messages in thread
* [PATCH 4/5] dispol: introduce -b option to run commands in batch
2019-10-08 6:44 [PATCH 0/5] dispol: add batch execution mode Masatake YAMATO
` (3 preceding siblings ...)
2019-10-08 6:44 ` [PATCH 3/5] dispol: introduce a local variable representing the input file Masatake YAMATO
@ 2019-10-08 6:44 ` Masatake YAMATO
2019-10-08 6:45 ` [PATCH 5/5] dispol: add the list of commands for batch mode to help message Masatake YAMATO
2019-10-08 12:48 ` [PATCH 0/5] dispol: add batch execution mode Stephen Smalley
6 siblings, 0 replies; 12+ messages in thread
From: Masatake YAMATO @ 2019-10-08 6:44 UTC (permalink / raw)
To: selinux; +Cc: yamato
dispol command requires interaction. It not suitable for using
in a script. This change introduces -b that is for running
dispol in non-interactively.
An example:
$ ./dispol -b 1 /sys/fs/selinux/policy
allow deltacloudd_log_t tmp_t : filesystem { associate };
allow kern_unconfined sysctl_type : lnk_file { ioctl read ...
...
Signed-off-by: Masatake YAMATO <yamato@redhat.com>
---
checkpolicy/test/dispol.c | 49 ++++++++++++++++++++++++++++++---------
1 file changed, 38 insertions(+), 11 deletions(-)
diff --git a/checkpolicy/test/dispol.c b/checkpolicy/test/dispol.c
index 26bbba7a..0eaa830a 100644
--- a/checkpolicy/test/dispol.c
+++ b/checkpolicy/test/dispol.c
@@ -39,7 +39,7 @@ static policydb_t policydb;
static __attribute__((__noreturn__)) void usage(const char *progname,
int status)
{
- printf("usage: %s [-h] binary_pol_file\n\n", progname);
+ printf("usage: %s [-h] [-b cmds] binary_pol_file\n\n", progname);
exit(status);
}
@@ -395,14 +395,21 @@ int main(int argc, char **argv)
int state;
struct policy_file pf;
char *pf_name;
+ char *cmds = NULL;
if (argc <= 1)
usage(argv[0], 1);
else if (strcmp(argv[1], "-h") == 0)
usage(argv[0], 0);
- else if (argc != 2)
+ else if (strcmp(argv[1], "-b") == 0) {
+ if (argc != 4)
+ usage(argv[0], 1);
+ cmds = argv[2];
+ pf_name = argv[3];
+ } else if (argc == 2)
+ pf_name = argv[1];
+ else
usage(argv[0], 1);
- pf_name = argv[1];
fd = open(pf_name, O_RDONLY);
if (fd < 0) {
@@ -424,7 +431,8 @@ int main(int argc, char **argv)
}
/* read the binary policy */
- fprintf(out_fp, "Reading policy...\n");
+ if (!cmds)
+ fprintf(out_fp, "Reading policy...\n");
policy_file_init(&pf);
pf.type = PF_USE_MEMORY;
pf.data = map;
@@ -433,7 +441,7 @@ int main(int argc, char **argv)
fprintf(stderr, "%s: Out of memory!\n", argv[0]);
exit(1);
}
- ret = policydb_read(&policydb, &pf, 1);
+ ret = policydb_read(&policydb, &pf, cmds == NULL);
if (ret) {
fprintf(stderr,
"%s: error(s) encountered while parsing configuration\n",
@@ -441,16 +449,30 @@ int main(int argc, char **argv)
exit(1);
}
- fprintf(stdout, "binary policy file loaded\n\n");
+ if (!cmds)
+ fprintf(stdout, "binary policy file loaded\n\n");
close(fd);
- menu();
+ if (!cmds)
+ menu();
for (;;) {
- printf("\nCommand (\'m\' for menu): ");
- if (fgets(ans, sizeof(ans), stdin) == NULL) {
- fprintf(stderr, "fgets failed at line %d: %s\n", __LINE__,
+ if (cmds) {
+ ans[0] = *cmds++;
+ if (ans[0] == '\0')
+ ans[0] = 'q';
+ else if (strchr("7fm", ans[0])) {
+ fprintf(stderr,
+ "Unacceptable command in batch mode: %c\n",
+ ans[0]);
+ exit(1);
+ }
+ } else {
+ printf("\nCommand (\'m\' for menu): ");
+ if (fgets(ans, sizeof(ans), stdin) == NULL) {
+ fprintf(stderr, "fgets failed at line %d: %s\n", __LINE__,
strerror(errno));
- continue;
+ continue;
+ }
}
switch (ans[0]) {
@@ -551,6 +573,11 @@ int main(int argc, char **argv)
menu();
break;
default:
+ if (cmds) {
+ fprintf(stderr,
+ "Invalid command: %c\n", ans[0]);
+ exit(1);
+ }
printf("\nInvalid choice\n");
menu();
break;
--
2.21.0
^ permalink raw reply related [flat|nested] 12+ messages in thread
* [PATCH 5/5] dispol: add the list of commands for batch mode to help message
2019-10-08 6:44 [PATCH 0/5] dispol: add batch execution mode Masatake YAMATO
` (4 preceding siblings ...)
2019-10-08 6:44 ` [PATCH 4/5] dispol: introduce -b option to run commands in batch Masatake YAMATO
@ 2019-10-08 6:45 ` Masatake YAMATO
2019-10-08 12:48 ` [PATCH 0/5] dispol: add batch execution mode Stephen Smalley
6 siblings, 0 replies; 12+ messages in thread
From: Masatake YAMATO @ 2019-10-08 6:45 UTC (permalink / raw)
To: selinux; +Cc: yamato
Signed-off-by: Masatake YAMATO <yamato@redhat.com>
---
checkpolicy/test/dispol.c | 29 +++++++++++++++++++----------
1 file changed, 19 insertions(+), 10 deletions(-)
diff --git a/checkpolicy/test/dispol.c b/checkpolicy/test/dispol.c
index 0eaa830a..f6e6a26a 100644
--- a/checkpolicy/test/dispol.c
+++ b/checkpolicy/test/dispol.c
@@ -36,10 +36,14 @@
static policydb_t policydb;
+int menu(int interactive);
+
static __attribute__((__noreturn__)) void usage(const char *progname,
int status)
{
printf("usage: %s [-h] [-b cmds] binary_pol_file\n\n", progname);
+ printf("acceptable commands for -b option:\n");
+ menu(0);
exit(status);
}
@@ -361,25 +365,30 @@ static void display_filename_trans(policydb_t *p, FILE *fp)
hashtab_map(p->filename_trans, filenametr_display, &args);
}
-int menu(void)
+int menu(int interactive)
{
- printf("\nSelect a command:\n");
+ if (interactive)
+ printf("\nSelect a command:\n");
printf("1) display unconditional AVTAB\n");
printf("2) display conditional AVTAB (entirely)\n");
printf("3) display conditional AVTAB (only ENABLED rules)\n");
printf("4) display conditional AVTAB (only DISABLED rules)\n");
printf("5) display conditional bools\n");
printf("6) display conditional expressions\n");
- printf("7) change a boolean value\n");
+ if (interactive)
+ printf("7) change a boolean value\n");
printf("8) display role transitions\n");
- printf("\n");
+ if (interactive)
+ printf("\n");
printf("c) display policy capabilities\n");
printf("p) display the list of permissive types\n");
printf("u) display unknown handling setting\n");
printf("F) display filename_trans rules\n");
- printf("\n");
- printf("f) set output file\n");
- printf("m) display menu\n");
+ if (interactive) {
+ printf("\n");
+ printf("f) set output file\n");
+ printf("m) display menu\n");
+ }
printf("q) quit\n");
return 0;
}
@@ -454,7 +463,7 @@ int main(int argc, char **argv)
close(fd);
if (!cmds)
- menu();
+ menu(cmds == NULL);
for (;;) {
if (cmds) {
ans[0] = *cmds++;
@@ -570,7 +579,7 @@ int main(int argc, char **argv)
exit(0);
break;
case 'm':
- menu();
+ menu(1);
break;
default:
if (cmds) {
@@ -579,7 +588,7 @@ int main(int argc, char **argv)
exit(1);
}
printf("\nInvalid choice\n");
- menu();
+ menu(1);
break;
}
--
2.21.0
^ permalink raw reply related [flat|nested] 12+ messages in thread
* Re: [PATCH 0/5] dispol: add batch execution mode
2019-10-08 6:44 [PATCH 0/5] dispol: add batch execution mode Masatake YAMATO
` (5 preceding siblings ...)
2019-10-08 6:45 ` [PATCH 5/5] dispol: add the list of commands for batch mode to help message Masatake YAMATO
@ 2019-10-08 12:48 ` Stephen Smalley
2019-10-08 14:31 ` Stephen Smalley
6 siblings, 1 reply; 12+ messages in thread
From: Stephen Smalley @ 2019-10-08 12:48 UTC (permalink / raw)
To: Masatake YAMATO, selinux
On 10/8/19 2:44 AM, Masatake YAMATO wrote:
> dispol command requires interaction, and is not suitable for using
> in a script. This patch set introduces -b that is for running
> dispol in non-interactively.
>
> An example:
>
> $ ./dispol -b 1 /sys/fs/selinux/policy
> allow deltacloudd_log_t tmp_t : filesystem { associate };
> allow kern_unconfined sysctl_type : lnk_file { ioctl read ...
What is your intended use case for this support, i.e. how do you
envision using dispol in scripts?
If you just want to decompile policy, I'd recommend using checkpolicy
-F/--conf or checkpolicy -c/--cil, ala:
checkpolicy -M -b /sys/fs/selinux/policy -F -o policy.conf
or
checkpolicy -M -b /sys/fs/selinux/policy -C -o policy.cil
> ...
>
> Masatake YAMATO (5):
> dispol: extend usage() to take exit status
> dispol: add an option for printing the command usage
> dispol: introduce a local variable representing the input file
> dispol: introduce -b option to run commands in batch
> dispol: add the list of commands for batch mode to help message
>
> checkpolicy/test/dispol.c | 96 ++++++++++++++++++++++++++++-----------
> 1 file changed, 69 insertions(+), 27 deletions(-)
>
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [PATCH 1/5] dispol: extend usage() to take exit status
2019-10-08 6:44 ` [PATCH 1/5] dispol: extend usage() to take exit status Masatake YAMATO
@ 2019-10-08 14:03 ` Stephen Smalley
0 siblings, 0 replies; 12+ messages in thread
From: Stephen Smalley @ 2019-10-08 14:03 UTC (permalink / raw)
To: Masatake YAMATO, selinux
On 10/8/19 2:44 AM, Masatake YAMATO wrote:
> Signed-off-by: Masatake YAMATO <yamato@redhat.com>
You appear to have sent two slightly different versions of this patch?
> ---
> checkpolicy/test/dispol.c | 6 +++---
> 1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/checkpolicy/test/dispol.c b/checkpolicy/test/dispol.c
> index d72d9fb3..6c4829c4 100644
> --- a/checkpolicy/test/dispol.c
> +++ b/checkpolicy/test/dispol.c
> @@ -36,10 +36,10 @@
>
> static policydb_t policydb;
>
> -static __attribute__((__noreturn__)) void usage(const char *progname)
> +static __attribute__((__noreturn__)) void usage(const char *progname, int status)
> {
> printf("usage: %s binary_pol_file\n\n", progname);
> - exit(1);
> + exit(status);
> }
>
> int render_access_mask(uint32_t mask, avtab_key_t * key, policydb_t * p,
> @@ -395,7 +395,7 @@ int main(int argc, char **argv)
> struct policy_file pf;
>
> if (argc != 2)
> - usage(argv[0]);
> + usage(argv[0], 1);
>
> fd = open(argv[1], O_RDONLY);
> if (fd < 0) {
>
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [PATCH 0/5] dispol: add batch execution mode
2019-10-08 12:48 ` [PATCH 0/5] dispol: add batch execution mode Stephen Smalley
@ 2019-10-08 14:31 ` Stephen Smalley
2019-10-17 7:12 ` Masatake YAMATO
0 siblings, 1 reply; 12+ messages in thread
From: Stephen Smalley @ 2019-10-08 14:31 UTC (permalink / raw)
To: Masatake YAMATO, selinux
On 10/8/19 8:48 AM, Stephen Smalley wrote:
> On 10/8/19 2:44 AM, Masatake YAMATO wrote:
>> dispol command requires interaction, and is not suitable for using
>> in a script. This patch set introduces -b that is for running
>> dispol in non-interactively.
>>
>> An example:
>>
>> $ ./dispol -b 1 /sys/fs/selinux/policy
>> allow deltacloudd_log_t tmp_t : filesystem { associate };
>> allow kern_unconfined sysctl_type : lnk_file { ioctl read ...
>
> What is your intended use case for this support, i.e. how do you
> envision using dispol in scripts?
>
> If you just want to decompile policy, I'd recommend using checkpolicy
> -F/--conf or checkpolicy -c/--cil, ala:
> checkpolicy -M -b /sys/fs/selinux/policy -F -o policy.conf
> or
> checkpolicy -M -b /sys/fs/selinux/policy -C -o policy.cil
Or you could just use sesearch -A if you wanted to just dump all allow
rules, for example, or seinfo -b for all booleans, ...
dispol/dismod have always just been test/debug/developer utilities and
predated the ability to decompile policies with checkpolicy, so I'm not
sure if they are even still useful to keep around. Is anyone still
using them?
>
>> ...
>>
>> Masatake YAMATO (5):
>> dispol: extend usage() to take exit status
>> dispol: add an option for printing the command usage
>> dispol: introduce a local variable representing the input file
>> dispol: introduce -b option to run commands in batch
>> dispol: add the list of commands for batch mode to help message
>>
>> checkpolicy/test/dispol.c | 96 ++++++++++++++++++++++++++++-----------
>> 1 file changed, 69 insertions(+), 27 deletions(-)
>>
>
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [Non-DoD Source] [PATCH 2/5] dispol: add an option for printing the command usage
2019-10-08 6:44 ` [PATCH 2/5] dispol: add an option for printing the command usage Masatake YAMATO
@ 2019-10-09 14:41 ` Stephen Smalley
0 siblings, 0 replies; 12+ messages in thread
From: Stephen Smalley @ 2019-10-09 14:41 UTC (permalink / raw)
To: Masatake YAMATO, selinux
On 10/8/19 2:44 AM, Masatake YAMATO wrote:
> Signed-off-by: Masatake YAMATO <yamato@redhat.com>
> ---
> checkpolicy/test/dispol.c | 8 ++++++--
> 1 file changed, 6 insertions(+), 2 deletions(-)
>
> diff --git a/checkpolicy/test/dispol.c b/checkpolicy/test/dispol.c
> index 1d9556f4..37b22cf8 100644
> --- a/checkpolicy/test/dispol.c
> +++ b/checkpolicy/test/dispol.c
> @@ -39,7 +39,7 @@ static policydb_t policydb;
> static __attribute__((__noreturn__)) void usage(const char *progname,
> int status)
> {
> - printf("usage: %s binary_pol_file\n\n", progname);
> + printf("usage: %s [-h] binary_pol_file\n\n", progname);
> exit(status);
> }
>
> @@ -395,7 +395,11 @@ int main(int argc, char **argv)
> int state;
> struct policy_file pf;
>
> - if (argc != 2)
> + if (argc <= 1)
> + usage(argv[0], 1);
> + else if (strcmp(argv[1], "-h") == 0)
> + usage(argv[0], 0);
> + else if (argc != 2)
> usage(argv[0], 1);
Use getopt(3) or getopt_long(3) please for option handling.
>
> fd = open(argv[1], O_RDONLY);
>
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [PATCH 0/5] dispol: add batch execution mode
2019-10-08 14:31 ` Stephen Smalley
@ 2019-10-17 7:12 ` Masatake YAMATO
0 siblings, 0 replies; 12+ messages in thread
From: Masatake YAMATO @ 2019-10-17 7:12 UTC (permalink / raw)
To: sds; +Cc: selinux
On Tue, 8 Oct 2019 10:31:37 -0400, Stephen Smalley <sds@tycho.nsa.gov> wrote:
> On 10/8/19 8:48 AM, Stephen Smalley wrote:
>> On 10/8/19 2:44 AM, Masatake YAMATO wrote:
>>> dispol command requires interaction, and is not suitable for using
>>> in a script. This patch set introduces -b that is for running
>>> dispol in non-interactively.
>>>
>>> An example:
>>>
>>> $ ./dispol -b 1 /sys/fs/selinux/policy
>>> allow deltacloudd_log_t tmp_t : filesystem { associate };
>>> allow kern_unconfined sysctl_type : lnk_file { ioctl read ...
>> What is your intended use case for this support, i.e. how do you
>> envision using dispol in scripts?
>> If you just want to decompile policy, I'd recommend using checkpolicy
>> -F/--conf or checkpolicy -c/--cil, ala:
>> checkpolicy -M -b /sys/fs/selinux/policy -F -o policy.conf
>> or
>> checkpolicy -M -b /sys/fs/selinux/policy -C -o policy.cil
>
> Or you could just use sesearch -A if you wanted to just dump all allow
> rules, for example, or seinfo -b for all booleans, ...
>
> dispol/dismod have always just been test/debug/developer utilities and
> predated the ability to decompile policies with checkpolicy, so I'm
> not sure if they are even still useful to keep around. Is anyone
> still using them?
Thank you for the comment.
I didn't know that checkpolicy can be used for decompiling policies. I
read checkpolicy.8, and I found what I want is the way to write
decompiled policies to standard output. So I can read the result with
less command, or filter with grep. I frequently do the similar with
objdump. I would like to withdraw the patches about dispol.
Instead, I proposed '-o -' for writing decompiled policies to standard
output in another mail-thread. Could you review the proposal?
Masatake YAMATO
>>
>>> ...
>>>
>>> Masatake YAMATO (5):
>>> dispol: extend usage() to take exit status
>>> dispol: add an option for printing the command usage
>>> dispol: introduce a local variable representing the input file
>>> dispol: introduce -b option to run commands in batch
>>> dispol: add the list of commands for batch mode to help message
>>>
>>> checkpolicy/test/dispol.c | 96
>>> ++++++++++++++++++++++++++++-----------
>>> 1 file changed, 69 insertions(+), 27 deletions(-)
>>>
>>
>
^ permalink raw reply [flat|nested] 12+ messages in thread
end of thread, other threads:[~2019-10-17 7:12 UTC | newest]
Thread overview: 12+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-10-08 6:44 [PATCH 0/5] dispol: add batch execution mode Masatake YAMATO
2019-10-08 6:44 ` [PATCH 1/5] dispol: extend usage() to take error code as an argument Masatake YAMATO
2019-10-08 6:44 ` [PATCH 1/5] dispol: extend usage() to take exit status Masatake YAMATO
2019-10-08 14:03 ` Stephen Smalley
2019-10-08 6:44 ` [PATCH 2/5] dispol: add an option for printing the command usage Masatake YAMATO
2019-10-09 14:41 ` [Non-DoD Source] " Stephen Smalley
2019-10-08 6:44 ` [PATCH 3/5] dispol: introduce a local variable representing the input file Masatake YAMATO
2019-10-08 6:44 ` [PATCH 4/5] dispol: introduce -b option to run commands in batch Masatake YAMATO
2019-10-08 6:45 ` [PATCH 5/5] dispol: add the list of commands for batch mode to help message Masatake YAMATO
2019-10-08 12:48 ` [PATCH 0/5] dispol: add batch execution mode Stephen Smalley
2019-10-08 14:31 ` Stephen Smalley
2019-10-17 7:12 ` Masatake YAMATO
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).