[ SEMANAGE ] Clear obsoleted objects

[ SEMANAGE ] Clear obsoleted objects

[Ivan Gyurdiev]

[-- Attachment #1: Type: text/plain, Size: 1481 bytes --]

Get from here:
Preparing...                ########################################### 
[100%]
   1:selinux-policy-targeted########################################### 
[100%]
Attempting to install base module '/usr/share/selinux/targeted/base.pp':
Ok: return value of 0.
Committing changes:
libsepol.bool_update: boolean i18n_input_disable_trans no longer in policy
libsepol.bool_update: could not update boolean i18n_input_disable_trans
libsepol.sepol_bool_set: could not set boolean i18n_input_disable_trans
libsemanage.dbase_policydb_set: could not set record value
libsemanage.dbase_file_iterate: could not iterate over records
libsemanage.semanage_base_merge_components: could not merge local 
modifications into policy
libsemanage.semanage_expand_sandbox: Unable to merge local modifications 
into policy.
Failed!

to here:

Preparing...                ########################################### 
[100%]
   1:selinux-policy-targeted########################################### 
[100%]
Attempting to install base module '/usr/share/selinux/targeted/base.pp':
Ok: return value of 0.
Committing changes:
Ok: transaction number 0.

I really need to add some functions to the rtable that print out each 
object (in a more sensible format than the one that's written to the 
storage file), so we can report to the user what's being 
obsoleted/changed - note that there's no messages in policy_components.c 
for that reason. The TODO is related to "make libsemanage less verbose".


[-- Attachment #2: libsemanage.clear_obsolete.diff --]
[-- Type: text/x-patch, Size: 4550 bytes --]

diff -Naurp --exclude CVS --exclude ChangeLog --exclude VERSION --exclude 'booleans_kernel.*' --exclude 'database_pserver.*' old/libsemanage/src/boolean_internal.h new/libsemanage/src/boolean_internal.h
--- old/libsemanage/src/boolean_internal.h	2005-11-08 09:32:57.000000000 -0500
+++ new/libsemanage/src/boolean_internal.h	2005-11-15 19:03:24.000000000 -0500
@@ -13,4 +13,3 @@ hidden_proto(semanage_bool_key_extract)
 hidden_proto(semanage_bool_key_free)
 hidden_proto(semanage_bool_set_name)
 hidden_proto(semanage_bool_set_value)
-
diff -Naurp --exclude CVS --exclude ChangeLog --exclude VERSION --exclude 'booleans_kernel.*' --exclude 'database_pserver.*' old/libsemanage/src/booleans_local.c new/libsemanage/src/booleans_local.c
--- old/libsemanage/src/booleans_local.c	2005-11-08 09:32:57.000000000 -0500
+++ new/libsemanage/src/booleans_local.c	2005-11-15 19:03:32.000000000 -0500
@@ -7,7 +7,6 @@ typedef semanage_bool_t record_t;
 #define DBASE_RECORD_DEFINED
 
 #include <stddef.h>
-#include <semanage/booleans_local.h>
 #include "handle.h" 
 #include "database.h"
 
diff -Naurp --exclude CVS --exclude ChangeLog --exclude VERSION --exclude 'booleans_kernel.*' --exclude 'database_pserver.*' old/libsemanage/src/policy_components.c new/libsemanage/src/policy_components.c
--- old/libsemanage/src/policy_components.c	2005-11-10 08:42:41.000000000 -0500
+++ new/libsemanage/src/policy_components.c	2005-11-15 19:06:35.000000000 -0500
@@ -1,5 +1,6 @@
 /* Copyright (C) 2005 Red Hat, Inc. */
 
+#include <stdlib.h>
 #include "policy.h"
 #include "handle.h"
 #include "database.h"
@@ -10,6 +11,56 @@
 #define MODE_SET    1
 #define MODE_MODIFY 2
 
+static int clear_obsolete(
+	semanage_handle_t* handle,
+	dbase_config_t* src,
+	dbase_config_t* dst) {
+
+	record_key_t* key = NULL;
+	record_t** records = NULL;
+	size_t nrecords = 0;
+	size_t i;
+
+	dbase_table_t* src_dtable = src->dtable;
+	dbase_table_t* dst_dtable = dst->dtable;
+	record_table_t* rtable = src_dtable->get_rtable(src->dbase);	
+
+	if (src_dtable->list(handle, src->dbase, &records, &nrecords) < 0)
+		goto err;
+
+	for (i = 0; i < nrecords; i++) {
+		int exists;
+
+		if (rtable->key_extract(handle, records[i], &key) < 0)
+			goto err;
+
+		if (dst_dtable->exists(handle, dst->dbase, key, &exists) < 0)
+			goto err;
+
+		if (!exists) {
+			if (src_dtable->del(handle, src->dbase, key) < 0)
+				goto err;
+
+			/* FIXME: notice to user */	
+                        /* INFO(handle, "boolean %s is obsolete, unsetting configured value..."); */
+		}
+	}
+
+	for (i=0; i < nrecords; i++)	
+		rtable->free(records[i]);
+	free(records);
+	free(key);
+	return STATUS_SUCCESS;
+
+	err:
+	/* FIXME: handle error */
+	for (i=0; i < nrecords; i++)
+		rtable->free(records[i]);
+	free(records);
+	free(key);
+	return STATUS_ERR;
+}
+
 typedef struct load_handler_arg {
 	semanage_handle_t* handle;
 	dbase_config_t* dconfig;
@@ -65,15 +116,14 @@ typedef struct load_table {
 
 /* This function must be called AFTER all modules are loaded.
  * Modules could be represented as a database, in which case
- * they should be loaded first, before the other components. */
+ * they should be loaded at the beginning of this function */
+
 int semanage_base_merge_components(
 	semanage_handle_t* handle) {
 
 	int i;
 	load_table_t components[] = {
 
-		/* FIXME: modules */
-
 		{ semanage_user_dbase_local(handle),
 		  semanage_user_dbase_policy(handle), MODE_MODIFY },
 #if 0
@@ -104,6 +154,11 @@ int semanage_base_merge_components(
 
 		if (to->dtable->cache(handle, to->dbase) < 0) 
 			goto err;
+
+		/* Clear obsolete items for MODE_SET */
+		if (components[i].mode == MODE_SET)
+			if (clear_obsolete(handle, from, to) < 0)
+				goto err;
 		
 		/* Now iterate */
 		if (from->dtable->iterate(
diff -Naurp --exclude CVS --exclude ChangeLog --exclude VERSION --exclude 'booleans_kernel.*' --exclude 'database_pserver.*' old/libsemanage/src/semanage_store.c new/libsemanage/src/semanage_store.c
--- old/libsemanage/src/semanage_store.c	2005-11-15 08:06:18.000000000 -0500
+++ new/libsemanage/src/semanage_store.c	2005-11-15 19:03:42.000000000 -0500
@@ -1389,10 +1389,8 @@ int semanage_expand_sandbox(semanage_han
         dbase_policydb_detach(semanage_iface_dbase_policy(sh)->dbase);
         dbase_policydb_detach(semanage_bool_dbase_policy(sh)->dbase);
 
-	if (retval < 0) {
-		ERR(sh, "Unable to merge local modifications into policy.");
+	if (retval < 0) 
 		goto cleanup;
-	}
 
 	if ((kernel_filename = semanage_path(SEMANAGE_TMP, SEMANAGE_KERNEL)) == NULL) {
 		goto cleanup;

Re: [ SEMANAGE ] Clear obsoleted objects

[Stephen Smalley]

On Tue, 2005-11-15 at 19:18 -0500, Ivan Gyurdiev wrote:
> Get from here:
> Preparing...                ########################################### 
> [100%]
>    1:selinux-policy-targeted########################################### 
> [100%]
> Attempting to install base module '/usr/share/selinux/targeted/base.pp':
> Ok: return value of 0.
> Committing changes:
> libsepol.bool_update: boolean i18n_input_disable_trans no longer in policy
> libsepol.bool_update: could not update boolean i18n_input_disable_trans
> libsepol.sepol_bool_set: could not set boolean i18n_input_disable_trans
> libsemanage.dbase_policydb_set: could not set record value
> libsemanage.dbase_file_iterate: could not iterate over records
> libsemanage.semanage_base_merge_components: could not merge local 
> modifications into policy
> libsemanage.semanage_expand_sandbox: Unable to merge local modifications 
> into policy.
> Failed!
> 
> to here:
> 
> Preparing...                ########################################### 
> [100%]
>    1:selinux-policy-targeted########################################### 
> [100%]
> Attempting to install base module '/usr/share/selinux/targeted/base.pp':
> Ok: return value of 0.
> Committing changes:
> Ok: transaction number 0.
> 
> I really need to add some functions to the rtable that print out each 
> object (in a more sensible format than the one that's written to the 
> storage file), so we can report to the user what's being 
> obsoleted/changed - note that there's no messages in policy_components.c 
> for that reason. The TODO is related to "make libsemanage less verbose".

Thanks, merged as of libsemanage 1.3.55.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [ SEMANAGE ] Clear obsoleted objects

[Ivan Gyurdiev]

>
> Thanks, merged as of libsemanage 1.3.55.
>   
I just found a bug ... should be using rtable->key_free(key), not free(key).



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [ SEMANAGE ] Clear obsoleted objects

[Stephen Smalley]

On Wed, 2005-11-16 at 09:31 -0500, Ivan Gyurdiev wrote:
> >
> > Thanks, merged as of libsemanage 1.3.55.
> >   
> I just found a bug ... should be using rtable->key_free(key), not free(key).

Ok.

Index: libsemanage/src/policy_components.c
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/libsemanage/src/policy_components.c,v
retrieving revision 1.14
diff -u -p -r1.14 policy_components.c
--- libsemanage/src/policy_components.c	16 Nov 2005 13:49:15 -0000	1.14
+++ libsemanage/src/policy_components.c	16 Nov 2005 14:36:06 -0000
@@ -49,7 +49,7 @@ static int clear_obsolete(
 	for (i=0; i < nrecords; i++)	
 		rtable->free(records[i]);
 	free(records);
-	free(key);
+	rtable->key_free(key);
 	return STATUS_SUCCESS;
 
 	err:
@@ -57,7 +57,7 @@ static int clear_obsolete(
 	for (i=0; i < nrecords; i++)
 		rtable->free(records[i]);
 	free(records);
-	free(key);
+	rtable->key_free(key);
 	return STATUS_ERR;
 }
 

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Please tell semodule to shut up????

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 8 bytes --]



-- 



[-- Attachment #2: policycoreutils-verbose.patch --]
[-- Type: text/x-patch, Size: 13057 bytes --]

--- policycoreutils-1.27.28/audit2allow/audit2allow~	2005-11-16 22:51:28.000000000 -0500
+++ policycoreutils-1.27.28/audit2allow/audit2allow	2005-11-17 10:26:24.000000000 -0500
@@ -65,6 +65,7 @@
 						ret=ret+"NAME=%s  " % x[2]
 					ret=ret + " : " + i 
 		return ret
+		
 	def gettarget(self):
 		if self.source == self.target:
 			return "self"
@@ -75,12 +76,15 @@
 	def __init__(self, input, last_reload=0, verbose=0):
 		self.last_reload=last_reload
 		self.allowRules={}
-		line = input.readline()
-		avc=[]
-		found=0
 		self.seclasses={}
 		self.types=[]
 		self.roles=[]
+		self.load(input)
+		
+	def load(self, input):
+		avc=[]
+		found=0
+		line = input.readline()
 		while line:
 			rec=line.split()
 			for i in rec:
@@ -94,6 +98,7 @@
 				avc=[]
 			line = input.readline()
 				
+
 	def add(self,avc):
 		scon=""
 		tcon=""
@@ -172,23 +177,25 @@
 		if type not in self.types:
 				self.types.append(type)
 
-	def module_out(self, module):
+	def gen_module(self, module):
+		return "module %s 1.0;" % module
+
+	def gen_requires(self):
 		self.roles.sort()
 		self.types.sort()
 		keys=self.seclasses.keys()
 		keys.sort()
-		rec="module %s 1.0;" % module
-		rec+="\n\nrequire {\n"
+		rec="\n\nrequire {\n"
 		for i in self.roles:
 			rec += "\trole %s; \n" % i
 		rec += "\n\n" 
 		for i in keys:
 			access=self.seclasses[i]
 			access.sort()
-			rec+="\tclass %s { " % i
+			rec += "\tclass %s { " % i
 			for a in access:
-				rec+=" %s" % a
-			rec+=" }; \n"
+				rec += " %s" % a
+			rec += " }; \n"
 		rec += "\n\n" 
 			
 		for i in self.types:
@@ -196,65 +203,135 @@
 		rec += " };\n\n\n"
 		return rec
 	
-	def out(self, module):
+	def out(self, require=0, module=""):
 		rec=""
+		if len(self.allowRules.keys())==0:
+		       raise(ValueError("No AVC messages found."))
 		if module!="":
-			rec+=self.module_out(module)
+			rec += self.gen_module(module)
+			rec += self.gen_requires()
+		else:
+			if requires:
+				rec+=self.gen_requires()
+			
 		for i in self.allowRules.keys():
 			rec += self.allowRules[i].out(verbose)+"\n"
 		return rec
 
-def usage():
-	print 'audit2allow [-d] [-v] [-l] [-i <inputfile> ] [-o <outputfile>]\n\
-        -d      read input from output of /bin/dmesg\n\
-        -v      verbose output\n\
-        -l      read input only after last \"load_policy\"\n\
-        -i      read input from <inputfile>\n\
-        -m      module output <modulename>\n\
-        -o      append output to <outputfile>\n'
-	sys.exit(1)
-
-def errorExit(error):
-	sys.stderr.write("%s exiting for: " % sys.argv[0])
-	sys.stderr.write("%s\n" % error)
-	sys.stderr.flush()
-	sys.exit(1)
-
-#
-# This script will generate home dir file context
-# based off the homedir_template file, entries in the password file, and
-#
-try:
-	last_reload=0
-	input=sys.stdin
-	output=sys.stdout
-	module=""
-	verbose=0
-	gopts, cmds = getopt.getopt(sys.argv[1:], 'vdo:hli:m:', ['help',
-						'last_reload='])
-	for o,a in gopts:
-		if o == '--last_reload' or o == "-l":
-			last_reload=1
-		if o == "-v":
-			verbose=1
-		if o == "-i":
-			input=open(a, "r")
-		if o == "-m":
-			module=a
-		if o == '--help':
-			usage()
-		if o == "-d":
-			input=os.popen("/bin/dmesg", "r")
-		if o == "-o":
-			output=open(a, "a")
-	if len(cmds) != 0:
-		usage()
-	out=allowRecords(input, last_reload, verbose)
-	output.write(out.out(module))
-
-except getopt.error, error:
-	errorExit(string.join("Options Error ", error))
-except ValueError, error:
-	errorExit(string.join("ValueError ", error))
-except KeyboardInterrupt, error:
-	sys.exit(0)
+if __name__ == '__main__':
+
+	def usage():
+		print 'audit2allow [-adhilrv] [-i <inputfile> ] [[-m|-M] <modulename> ] [-o <outputfile>]\n\
+		-a, --all        read input from audit and message log, conflicts with -i\n\
+		-d, --dmesg      read input from output of /bin/dmesg\n\
+		-h, --help       display this message\n\
+		-i, --input      read input from <inputfile> conflicts with -a\n\
+		-l, --lastreload read input only after last \"load_policy\"\n\
+		-m, --module     generate module/require output <modulename> \n\
+		-M               generate loadable module package, conflicts with -o\n\
+		-o, --output     append output to <outputfile>, conflicts with -M\n\
+		-r, --requires   generate require output \n\
+		-v, --verbose    verbose output\n\
+		'
+		sys.exit(1)
+		
+	def errorExit(error):
+		sys.stderr.write("%s: " % sys.argv[0])
+		sys.stderr.write("%s\n" % error)
+		sys.stderr.flush()
+		sys.exit(1)
+
+	#
+	# 
+	#
+	try:
+		last_reload=0
+		input=sys.stdin
+		output=sys.stdout
+		module=""
+		requires=0
+		verbose=0
+		auditlogs=0
+		buildPP=0
+		input_ind=0
+		output_ind=0
+		gopts, cmds = getopt.getopt(sys.argv[1:],
+					    'adhi:lm:M:o:rv',
+					    ['all',
+					     'dmesg',
+					     'help',
+					     'input=',
+					     'lastreload',
+					     'module=',
+					     'output=',
+					     'requires'
+					     'verbose'
+					     ])
+		for o,a in gopts:
+			if o == "-a" or o == "--all":
+				if input_ind:
+					usage()
+				input=open("/var/log/messages", "r")
+				auditlogs=1
+			if o == "-d"  or o == "--dmesg":
+				input=os.popen("/bin/dmesg", "r")
+			if o == "-h" or o == "--help":
+				usage()
+			if o == "-i"or o == "--input":
+				if auditlogs:
+					usage()
+				input_ind=1
+				input=open(a, "r")
+			if o == '--lastreload' or o == "-l":
+				last_reload=1
+			if o == "-m" or o == "--module":
+				if module != "":
+					usage()
+				module=a
+			if o == "-M":
+				if module != "" or output_ind:
+					usage()
+				module=a
+				outfile=a+".te"
+				buildPP=1
+				output=open(outfile, "w")
+			if o == "-r" or o == "--requires":
+				requires=1
+			if o == "-o" or o == "--output":
+				if module != "":
+					usage()
+				output=open(a, "a")
+				output_ind=1
+			if o == "-v" or o == "--verbose":
+				verbose=1
+			if len(cmds) != 0:
+				usage()
+		out=allowRecords(input, last_reload, verbose)
+		if auditlogs:
+			input=open("/var/log/audit/audit.log", "r")
+		out.load(input)
+		if buildPP:
+			print ("Generating type enforcment file: %s.te" % module)
+		output.write(out.out(requires, module))
+		if buildPP:
+			print ("Compiling policy: checkmodule -M -m -o %s.mod %s.te" % (module, module))
+			rc=commands.getstatusoutput("checkmodule -M -m -o %s.mod %s.te" % (module, module))
+			if rc[0]==0:
+				print ("Building package: semodule_package -o %s.pp -m %s.mod" % (module, module))
+				rc=commands.getstatusoutput("semodule_package -o %s.pp -m %s.mod" % (module, module))
+				if rc[0]==0:
+					print ("\n*************** IMPORTANT ***********************\n")
+					print ("In order to load this newly created policy package,\nyou are required to execute \n\n\"semodule -i %s.pp\"\n\nto load the policy\n" % module)
+				else:
+					errorExit(rc[1])
+			else:
+				errorExit(rc[1])
+
+	except getopt.error, error:
+		errorExit("Options Error " + error.msg)
+	except ValueError, error:
+		errorExit(error.args[0])
+	except IOError, error:
+		errorExit(error.args[1])
+	except KeyboardInterrupt, error:
+		sys.exit(0)
--- policycoreutils-1.27.28/semodule/semodule.c~	2005-11-16 15:39:03.000000000 -0500
+++ policycoreutils-1.27.28/semodule/semodule.c	2005-11-17 11:02:35.000000000 -0500
@@ -38,7 +38,7 @@
 static int num_commands = 0;
 
 /* options given on command line */
-static int quiet;
+static int verbose;
 static int reload;
 static int no_reload;
 static int build;
@@ -122,7 +122,7 @@
 	printf("  -s,--store	   name of the store to operate on\n");
 	printf("  -n,--noreload	   do not reload policy after commit\n");
         printf("  -h,--help        print this message and quit\n");
-        printf("  -q,--quiet       be quiet\n");
+        printf("  -v,--verbose     be verbose\n");
 }
 
 /* Sets the global mode variable to new_mode, but only if no other
@@ -157,7 +157,7 @@
                 {"help", 0, NULL, 'h'},
                 {"install", required_argument, NULL, 'i'},
                 {"list-modules", 0, NULL, 'l'},
-                {"quiet", 0, NULL, 'q'},
+                {"verbose", 0, NULL, 'v'},
                 {"remove", required_argument, NULL, 'r'},
                 {"upgrade", required_argument, NULL, 'u'},
 		{"reload", 0, NULL, 'R'},
@@ -166,7 +166,7 @@
                 {NULL, 0, NULL, 0}
         };
         int i;
-        quiet = 0;
+        verbose = 0;
 	reload = 0;
 	no_reload = 0;
         while ((i = getopt_long(argc, argv, "s:b:hi:lqr:u:RnB", opts, NULL)) != -1) {
@@ -175,7 +175,7 @@
                 case 'h': usage(argv[0]); exit(0);
                 case 'i': set_mode(INSTALL_M, optarg); break;
                 case 'l': set_mode(LIST_M, NULL); break;
-                case 'q': quiet = 1; break;
+                case 'v': verbose = 1; break;
                 case 'r': set_mode(REMOVE_M, optarg); break;
                 case 'u': set_mode(UPGRADE_M,optarg); break;
 		case 's': set_store(optarg); break;
@@ -266,28 +266,28 @@
                 }
                 switch (mode) {
                 case INSTALL_M: {
-                        if (!quiet) {
+                        if (verbose) {
                                 printf("Attempting to install module '%s':\n", mode_arg);
                         }
                         result = semanage_module_install(sh, data, data_len);
                         break;
                 }
                 case UPGRADE_M: {
-                        if (!quiet) {
+                        if (verbose) {
                                 printf("Attempting to upgrade module '%s':\n", mode_arg);
                         }
                         result = semanage_module_upgrade(sh, data, data_len);
                         break;
                 }
                 case BASE_M: {
-                        if (!quiet) {
+                        if (verbose) {
                                 printf("Attempting to install base module '%s':\n", mode_arg);
                         }
                         result = semanage_module_install_base(sh, data, data_len);
                         break;
                 }
                 case REMOVE_M: {
-                        if (!quiet) {
+                        if (verbose) {
                                 printf("Attempting to remove module '%s':\n", mode_arg);
                         }
                         result = semanage_module_remove(sh, mode_arg);
@@ -296,7 +296,7 @@
                 case LIST_M: {
                         semanage_module_info_t *modinfo;
                         int num_modules;
-                        if (!quiet) {
+                        if (verbose) {
                                 printf("Attempting to list active modules:\n");
                         }
                         if ((result = semanage_module_list(sh, &modinfo, &num_modules)) >= 0) {
@@ -328,13 +328,13 @@
                         fprintf(stderr, "Failed!\n");
                         goto cleanup;
                 }
-                else if (!quiet) {
+                else if (verbose) {
                         printf("Ok: return value of %d.\n", result);
                 }
         }
         
         if (commit) {
-                if (!quiet) {
+                if (verbose) {
                         printf("Committing changes:\n");
                 }
 		if (no_reload) {
@@ -347,7 +347,7 @@
                 fprintf(stderr, "Failed!\n");
                 goto cleanup;
         }
-        else if (commit && !quiet) {
+        else if (commit && verbose) {
                 printf("Ok: transaction number %d.\n", result);
         }
 
--- policycoreutils-1.27.28/scripts/genhomedircon~	2005-11-16 22:33:25.000000000 -0500
+++ policycoreutils-1.27.28/scripts/genhomedircon	2005-11-16 23:21:23.000000000 -0500
@@ -65,12 +65,7 @@
 		homedir = homedir.strip()
 		if not homedir in ret:
 			ret.append(homedir)
-	else:
-		#rc[0] == 256 means the file was there, we read it, but the grep didn't match
-		if rc[0] != 256:
-			sys.stderr.write("%s\n" % rc[1])
-			sys.stderr.write("You do not have access to /etc/default/useradd HOME=\n")
-			sys.stderr.flush()
+
 	rc=commands.getstatusoutput("grep -h '^LU_HOMEDIRECTORY' /etc/libuser.conf")
 	if rc[0] == 0:
 		homedir = rc[1].split("=")[1]
@@ -78,12 +73,7 @@
 		homedir = homedir.strip()
 		if not homedir in ret:
 			ret.append(homedir)
-	else:
-		#rc[0] == 256 means the file was there, we read it, but the grep didn't match
-		if rc[0] != 256:
-			sys.stderr.write("%s\n" % rc[1])
-			sys.stderr.write("You do not have access to /etc/libuser.conf LU_HOMEDIRECTORY=\n")
-			sys.stderr.flush()
+
 	if ret == []:
 		ret.append("/home")
 	return ret
@@ -242,9 +232,8 @@
 		if rc[0] == 0:
 			prefix_regex = rc[1].split("\n")
 		else:
-			sys.stderr.write("%s\n" % rc[1])
-			sys.stderr.write("You do not have access to grep/cut/the file contexts\n")
-			sys.stderr.flush()
+			warning("%s\nYou do not have access to read %s\n" % (rc[1], self.getFileContectFile()))
+
 		exists=1
 		for regex in prefix_regex:
 			#match a trailing (/*)? which is actually a bug in rpc_pipefs

Re: Please tell semodule to shut up????

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 19 bytes --]

Wrong patch

-- 



[-- Attachment #2: policycoreutils-verbose.patch --]
[-- Type: text/x-patch, Size: 4519 bytes --]

--- policycoreutils-1.27.28/semodule/semodule.c~	2005-11-16 15:39:03.000000000 -0500
+++ policycoreutils-1.27.28/semodule/semodule.c	2005-11-17 11:02:35.000000000 -0500
@@ -38,7 +38,7 @@
 static int num_commands = 0;
 
 /* options given on command line */
-static int quiet;
+static int verbose;
 static int reload;
 static int no_reload;
 static int build;
@@ -122,7 +122,7 @@
 	printf("  -s,--store	   name of the store to operate on\n");
 	printf("  -n,--noreload	   do not reload policy after commit\n");
         printf("  -h,--help        print this message and quit\n");
-        printf("  -q,--quiet       be quiet\n");
+        printf("  -v,--verbose     be verbose\n");
 }
 
 /* Sets the global mode variable to new_mode, but only if no other
@@ -157,7 +157,7 @@
                 {"help", 0, NULL, 'h'},
                 {"install", required_argument, NULL, 'i'},
                 {"list-modules", 0, NULL, 'l'},
-                {"quiet", 0, NULL, 'q'},
+                {"verbose", 0, NULL, 'v'},
                 {"remove", required_argument, NULL, 'r'},
                 {"upgrade", required_argument, NULL, 'u'},
 		{"reload", 0, NULL, 'R'},
@@ -166,7 +166,7 @@
                 {NULL, 0, NULL, 0}
         };
         int i;
-        quiet = 0;
+        verbose = 0;
 	reload = 0;
 	no_reload = 0;
         while ((i = getopt_long(argc, argv, "s:b:hi:lqr:u:RnB", opts, NULL)) != -1) {
@@ -175,7 +175,7 @@
                 case 'h': usage(argv[0]); exit(0);
                 case 'i': set_mode(INSTALL_M, optarg); break;
                 case 'l': set_mode(LIST_M, NULL); break;
-                case 'q': quiet = 1; break;
+                case 'v': verbose = 1; break;
                 case 'r': set_mode(REMOVE_M, optarg); break;
                 case 'u': set_mode(UPGRADE_M,optarg); break;
 		case 's': set_store(optarg); break;
@@ -266,28 +266,28 @@
                 }
                 switch (mode) {
                 case INSTALL_M: {
-                        if (!quiet) {
+                        if (verbose) {
                                 printf("Attempting to install module '%s':\n", mode_arg);
                         }
                         result = semanage_module_install(sh, data, data_len);
                         break;
                 }
                 case UPGRADE_M: {
-                        if (!quiet) {
+                        if (verbose) {
                                 printf("Attempting to upgrade module '%s':\n", mode_arg);
                         }
                         result = semanage_module_upgrade(sh, data, data_len);
                         break;
                 }
                 case BASE_M: {
-                        if (!quiet) {
+                        if (verbose) {
                                 printf("Attempting to install base module '%s':\n", mode_arg);
                         }
                         result = semanage_module_install_base(sh, data, data_len);
                         break;
                 }
                 case REMOVE_M: {
-                        if (!quiet) {
+                        if (verbose) {
                                 printf("Attempting to remove module '%s':\n", mode_arg);
                         }
                         result = semanage_module_remove(sh, mode_arg);
@@ -296,7 +296,7 @@
                 case LIST_M: {
                         semanage_module_info_t *modinfo;
                         int num_modules;
-                        if (!quiet) {
+                        if (verbose) {
                                 printf("Attempting to list active modules:\n");
                         }
                         if ((result = semanage_module_list(sh, &modinfo, &num_modules)) >= 0) {
@@ -328,13 +328,13 @@
                         fprintf(stderr, "Failed!\n");
                         goto cleanup;
                 }
-                else if (!quiet) {
+                else if (verbose) {
                         printf("Ok: return value of %d.\n", result);
                 }
         }
         
         if (commit) {
-                if (!quiet) {
+                if (verbose) {
                         printf("Committing changes:\n");
                 }
 		if (no_reload) {
@@ -347,7 +347,7 @@
                 fprintf(stderr, "Failed!\n");
                 goto cleanup;
         }
-        else if (commit && !quiet) {
+        else if (commit && verbose) {
                 printf("Ok: transaction number %d.\n", result);
         }
 

Re: Please tell semodule to shut up????

[Joshua Brindle]

Daniel J Walsh wrote:
<snip>
> -                {"quiet", 0, NULL, 'q'},
> +                {"verbose", 0, NULL, 'v'},

Why not just run -q in audit2allow, the rpm, etc? I don't understand why 
  a patch is necessary when the flag for the behavior you want already 
exists.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.