* [PATCH] allow semodule -i to accept list of modules
@ 2007-01-08 21:43 Karl MacMillan
2007-01-09 4:08 ` Joshua Brindle
2007-01-09 16:17 ` Joshua Brindle
0 siblings, 2 replies; 13+ messages in thread
From: Karl MacMillan @ 2007-01-08 21:43 UTC (permalink / raw)
To: SELinux List
The following patch allows semodule to handle a list of modules for
installation (i.e., semodule -i *.pp now works).
Signed-off-by: Karl MacMillan <kmacmillan@mentalrootkit.com>
diff -r e37f9d8d6611 policycoreutils/semodule/semodule.c
--- a/policycoreutils/semodule/semodule.c Mon Jan 08 15:00:14 2007 -0500
+++ b/policycoreutils/semodule/semodule.c Mon Jan 08 16:37:23 2007 -0500
@@ -225,15 +225,6 @@ static void parse_command_line(int argc,
}
}
}
- if (optind < argc) {
- fprintf(stderr, "Extraneous arguments: ");
- while (optind < argc)
- fprintf(stderr, "%s", argv[optind++]);
- fprintf(stderr, "\n");
- usage(argv[0]);
- cleanup();
- exit(1);
- }
if ((build || reload) && num_commands) {
fprintf(stderr,
"build or reload should not be used with other commands\n");
@@ -244,6 +235,24 @@ static void parse_command_line(int argc,
fprintf(stderr, "At least one mode must be specified.\n");
usage(argv[0]);
exit(1);
+ }
+
+ if (optind < argc) {
+ /* if -i was the last command treat any remaining
+ * arguments as modules to allow 'semodule -i *.pp' to
+ * work as expected.
+ */
+ if (commands[num_commands - 1].mode == INSTALL_M) {
+ while (optind < argc)
+ set_mode(INSTALL_M, argv[optind++]);
+ } else {
+ fprintf(stderr, "unknown additional arguments:\n");
+ while (optind < argc)
+ fprintf(stderr, " %s", argv[optind++]);
+ fprintf(stderr, "\n\n");
+ usage(argv[0]);
+ exit(1);
+ }
}
}
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 13+ messages in thread* Re: [PATCH] allow semodule -i to accept list of modules 2007-01-08 21:43 [PATCH] allow semodule -i to accept list of modules Karl MacMillan @ 2007-01-09 4:08 ` Joshua Brindle 2007-01-09 14:34 ` Karl MacMillan 2007-01-09 16:17 ` Joshua Brindle 1 sibling, 1 reply; 13+ messages in thread From: Joshua Brindle @ 2007-01-09 4:08 UTC (permalink / raw) To: Karl MacMillan; +Cc: SELinux List Karl MacMillan wrote: > The following patch allows semodule to handle a list of modules for > installation (i.e., semodule -i *.pp now works). > > Hrm, while the current syntax isn't ideal I don't think its the best idea to change it abruptly. maybe you could make -I use the rest of the arguments or something otherwise this will break any number of rpm's, portage, the refpolicy makefiles and so on. > Signed-off-by: Karl MacMillan <kmacmillan@mentalrootkit.com> > > diff -r e37f9d8d6611 policycoreutils/semodule/semodule.c > --- a/policycoreutils/semodule/semodule.c Mon Jan 08 15:00:14 2007 -0500 > +++ b/policycoreutils/semodule/semodule.c Mon Jan 08 16:37:23 2007 -0500 > @@ -225,15 +225,6 @@ static void parse_command_line(int argc, > } > } > } > - if (optind < argc) { > - fprintf(stderr, "Extraneous arguments: "); > - while (optind < argc) > - fprintf(stderr, "%s", argv[optind++]); > - fprintf(stderr, "\n"); > - usage(argv[0]); > - cleanup(); > - exit(1); > - } > if ((build || reload) && num_commands) { > fprintf(stderr, > "build or reload should not be used with other commands\n"); > @@ -244,6 +235,24 @@ static void parse_command_line(int argc, > fprintf(stderr, "At least one mode must be specified.\n"); > usage(argv[0]); > exit(1); > + } > + > + if (optind < argc) { > + /* if -i was the last command treat any remaining > + * arguments as modules to allow 'semodule -i *.pp' to > + * work as expected. > + */ > + if (commands[num_commands - 1].mode == INSTALL_M) { > + while (optind < argc) > + set_mode(INSTALL_M, argv[optind++]); > + } else { > + fprintf(stderr, "unknown additional arguments:\n"); > + while (optind < argc) > + fprintf(stderr, " %s", argv[optind++]); > + fprintf(stderr, "\n\n"); > + usage(argv[0]); > + exit(1); > + } > } > } > > > > > -- > This message was distributed to subscribers of the selinux mailing list. > If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with > the words "unsubscribe selinux" without quotes as the message. > > -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [PATCH] allow semodule -i to accept list of modules 2007-01-09 4:08 ` Joshua Brindle @ 2007-01-09 14:34 ` Karl MacMillan 2007-01-09 15:10 ` Joshua Brindle 0 siblings, 1 reply; 13+ messages in thread From: Karl MacMillan @ 2007-01-09 14:34 UTC (permalink / raw) To: Joshua Brindle; +Cc: SELinux List Joshua Brindle wrote: > Karl MacMillan wrote: >> The following patch allows semodule to handle a list of modules for >> installation (i.e., semodule -i *.pp now works). >> >> > Hrm, while the current syntax isn't ideal I don't think its the best > idea to change it abruptly. maybe you could make -I use the rest of the > arguments or something otherwise this will break any number of rpm's, > portage, the refpolicy makefiles and so on. > I don't see how this could cause breakage as it doesn't change how any currently valid option sequence is processed. Instead, it makes invalid syntax valid (if you look closely at the patch, you can see that I am actually changing a fatal error path - so what I describe is guaranteed to be true). I prefer this approach because I think it is the least surprising. I constantly try the syntax this patch allows only to remember that it doesn't work. Karl >> Signed-off-by: Karl MacMillan <kmacmillan@mentalrootkit.com> >> >> diff -r e37f9d8d6611 policycoreutils/semodule/semodule.c >> --- a/policycoreutils/semodule/semodule.c Mon Jan 08 15:00:14 2007 >> -0500 >> +++ b/policycoreutils/semodule/semodule.c Mon Jan 08 16:37:23 2007 >> -0500 >> @@ -225,15 +225,6 @@ static void parse_command_line(int argc, >> } >> } >> } >> - if (optind < argc) { >> - fprintf(stderr, "Extraneous arguments: "); >> - while (optind < argc) >> - fprintf(stderr, "%s", argv[optind++]); >> - fprintf(stderr, "\n"); >> - usage(argv[0]); >> - cleanup(); >> - exit(1); >> - } >> if ((build || reload) && num_commands) { >> fprintf(stderr, >> "build or reload should not be used with other commands\n"); >> @@ -244,6 +235,24 @@ static void parse_command_line(int argc, >> fprintf(stderr, "At least one mode must be specified.\n"); >> usage(argv[0]); >> exit(1); >> + } >> + >> + if (optind < argc) { >> + /* if -i was the last command treat any remaining >> + * arguments as modules to allow 'semodule -i *.pp' to >> + * work as expected. >> + */ >> + if (commands[num_commands - 1].mode == INSTALL_M) { >> + while (optind < argc) >> + set_mode(INSTALL_M, argv[optind++]); >> + } else { >> + fprintf(stderr, "unknown additional arguments:\n"); >> + while (optind < argc) >> + fprintf(stderr, " %s", argv[optind++]); >> + fprintf(stderr, "\n\n"); >> + usage(argv[0]); >> + exit(1); >> + } >> } >> } >> >> >> >> >> -- >> This message was distributed to subscribers of the selinux mailing list. >> If you no longer wish to subscribe, send mail to >> majordomo@tycho.nsa.gov with >> the words "unsubscribe selinux" without quotes as the message. >> >> > > -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [PATCH] allow semodule -i to accept list of modules 2007-01-09 14:34 ` Karl MacMillan @ 2007-01-09 15:10 ` Joshua Brindle 2007-01-09 15:27 ` Karl MacMillan 0 siblings, 1 reply; 13+ messages in thread From: Joshua Brindle @ 2007-01-09 15:10 UTC (permalink / raw) To: Karl MacMillan; +Cc: SELinux List Karl MacMillan wrote: > Joshua Brindle wrote: >> Karl MacMillan wrote: >>> The following patch allows semodule to handle a list of modules for >>> installation (i.e., semodule -i *.pp now works). >>> >>> >> Hrm, while the current syntax isn't ideal I don't think its the best >> idea to change it abruptly. maybe you could make -I use the rest of >> the arguments or something otherwise this will break any number of >> rpm's, portage, the refpolicy makefiles and so on. >> > > I don't see how this could cause breakage as it doesn't change how any > currently valid option sequence is processed. Instead, it makes invalid > syntax valid (if you look closely at the patch, you can see that I am > actually changing a fatal error path - so what I describe is guaranteed > to be true). > > I prefer this approach because I think it is the least surprising. I > constantly try the syntax this patch allows only to remember that it > doesn't work. > oops, you are right.. do you think having 2 distinct syntaxes for the same argument will be less surprising than splitting them up? -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [PATCH] allow semodule -i to accept list of modules 2007-01-09 15:10 ` Joshua Brindle @ 2007-01-09 15:27 ` Karl MacMillan 0 siblings, 0 replies; 13+ messages in thread From: Karl MacMillan @ 2007-01-09 15:27 UTC (permalink / raw) To: Joshua Brindle; +Cc: SELinux List Joshua Brindle wrote: > Karl MacMillan wrote: >> Joshua Brindle wrote: >>> Karl MacMillan wrote: >>>> The following patch allows semodule to handle a list of modules for >>>> installation (i.e., semodule -i *.pp now works). >>>> >>>> >>> Hrm, while the current syntax isn't ideal I don't think its the best >>> idea to change it abruptly. maybe you could make -I use the rest of >>> the arguments or something otherwise this will break any number of >>> rpm's, portage, the refpolicy makefiles and so on. >>> >> >> I don't see how this could cause breakage as it doesn't change how any >> currently valid option sequence is processed. Instead, it makes >> invalid syntax valid (if you look closely at the patch, you can see >> that I am actually changing a fatal error path - so what I describe is >> guaranteed to be true). >> >> I prefer this approach because I think it is the least surprising. I >> constantly try the syntax this patch allows only to remember that it >> doesn't work. >> > > oops, you are right.. do you think having 2 distinct syntaxes for the > same argument will be less surprising than splitting them up? > No. I think that common current usage is 'semodule -i somemodule.pp' and 'semodule -i *.pp' (or some other glob) is very natural. I doubt that many people actually use 'semodule -i foo.pp -i bar.pp' besides some scripts. Karl -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [PATCH] allow semodule -i to accept list of modules 2007-01-08 21:43 [PATCH] allow semodule -i to accept list of modules Karl MacMillan 2007-01-09 4:08 ` Joshua Brindle @ 2007-01-09 16:17 ` Joshua Brindle 2007-01-09 20:17 ` Stephen Smalley 1 sibling, 1 reply; 13+ messages in thread From: Joshua Brindle @ 2007-01-09 16:17 UTC (permalink / raw) To: Karl MacMillan; +Cc: SELinux List Karl MacMillan wrote: > The following patch allows semodule to handle a list of modules for > installation (i.e., semodule -i *.pp now works). > > Signed-off-by: Karl MacMillan <kmacmillan@mentalrootkit.com> > > Acked-By: Joshua Brindle <jbrindle@tresys.com> > diff -r e37f9d8d6611 policycoreutils/semodule/semodule.c > --- a/policycoreutils/semodule/semodule.c Mon Jan 08 15:00:14 2007 -0500 > +++ b/policycoreutils/semodule/semodule.c Mon Jan 08 16:37:23 2007 -0500 > @@ -225,15 +225,6 @@ static void parse_command_line(int argc, > } > } > } > - if (optind < argc) { > - fprintf(stderr, "Extraneous arguments: "); > - while (optind < argc) > - fprintf(stderr, "%s", argv[optind++]); > - fprintf(stderr, "\n"); > - usage(argv[0]); > - cleanup(); > - exit(1); > - } > if ((build || reload) && num_commands) { > fprintf(stderr, > "build or reload should not be used with other commands\n"); > @@ -244,6 +235,24 @@ static void parse_command_line(int argc, > fprintf(stderr, "At least one mode must be specified.\n"); > usage(argv[0]); > exit(1); > + } > + > + if (optind < argc) { > + /* if -i was the last command treat any remaining > + * arguments as modules to allow 'semodule -i *.pp' to > + * work as expected. > + */ > + if (commands[num_commands - 1].mode == INSTALL_M) { > + while (optind < argc) > + set_mode(INSTALL_M, argv[optind++]); > + } else { > + fprintf(stderr, "unknown additional arguments:\n"); > + while (optind < argc) > + fprintf(stderr, " %s", argv[optind++]); > + fprintf(stderr, "\n\n"); > + usage(argv[0]); > + exit(1); > + } > } > } > > > > > -- > This message was distributed to subscribers of the selinux mailing list. > If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with > the words "unsubscribe selinux" without quotes as the message. > > -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [PATCH] allow semodule -i to accept list of modules 2007-01-09 16:17 ` Joshua Brindle @ 2007-01-09 20:17 ` Stephen Smalley 2007-01-09 20:43 ` Stephen Smalley 0 siblings, 1 reply; 13+ messages in thread From: Stephen Smalley @ 2007-01-09 20:17 UTC (permalink / raw) To: Joshua Brindle; +Cc: Karl MacMillan, SELinux List On Tue, 2007-01-09 at 11:17 -0500, Joshua Brindle wrote: > Karl MacMillan wrote: > > The following patch allows semodule to handle a list of modules for > > installation (i.e., semodule -i *.pp now works). > > > > Signed-off-by: Karl MacMillan <kmacmillan@mentalrootkit.com> > > > > > Acked-By: Joshua Brindle <jbrindle@tresys.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> This means we can also update the semodule man page to remove the gross hack we came up with to workaround the absence of such support, # Replace all modules with the ones in the current directory $ semodule -b base.pp ‘semodule -l | awk ’{print "-i " $1 ".pp"}’‘ > > diff -r e37f9d8d6611 policycoreutils/semodule/semodule.c > > --- a/policycoreutils/semodule/semodule.c Mon Jan 08 15:00:14 2007 -0500 > > +++ b/policycoreutils/semodule/semodule.c Mon Jan 08 16:37:23 2007 -0500 > > @@ -225,15 +225,6 @@ static void parse_command_line(int argc, > > } > > } > > } > > - if (optind < argc) { > > - fprintf(stderr, "Extraneous arguments: "); > > - while (optind < argc) > > - fprintf(stderr, "%s", argv[optind++]); > > - fprintf(stderr, "\n"); > > - usage(argv[0]); > > - cleanup(); > > - exit(1); > > - } > > if ((build || reload) && num_commands) { > > fprintf(stderr, > > "build or reload should not be used with other commands\n"); > > @@ -244,6 +235,24 @@ static void parse_command_line(int argc, > > fprintf(stderr, "At least one mode must be specified.\n"); > > usage(argv[0]); > > exit(1); > > + } > > + > > + if (optind < argc) { > > + /* if -i was the last command treat any remaining > > + * arguments as modules to allow 'semodule -i *.pp' to > > + * work as expected. > > + */ > > + if (commands[num_commands - 1].mode == INSTALL_M) { > > + while (optind < argc) > > + set_mode(INSTALL_M, argv[optind++]); > > + } else { > > + fprintf(stderr, "unknown additional arguments:\n"); > > + while (optind < argc) > > + fprintf(stderr, " %s", argv[optind++]); > > + fprintf(stderr, "\n\n"); > > + usage(argv[0]); > > + exit(1); > > + } > > } > > } > > > > > > > > -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [PATCH] allow semodule -i to accept list of modules 2007-01-09 20:17 ` Stephen Smalley @ 2007-01-09 20:43 ` Stephen Smalley 2007-01-09 21:52 ` Karl MacMillan 2007-01-09 21:53 ` Joshua Brindle 0 siblings, 2 replies; 13+ messages in thread From: Stephen Smalley @ 2007-01-09 20:43 UTC (permalink / raw) To: Joshua Brindle; +Cc: Karl MacMillan, SELinux List On Tue, 2007-01-09 at 15:17 -0500, Stephen Smalley wrote: > On Tue, 2007-01-09 at 11:17 -0500, Joshua Brindle wrote: > > Karl MacMillan wrote: > > > The following patch allows semodule to handle a list of modules for > > > installation (i.e., semodule -i *.pp now works). > > > > > > Signed-off-by: Karl MacMillan <kmacmillan@mentalrootkit.com> > > > > > > > > Acked-By: Joshua Brindle <jbrindle@tresys.com> > > Acked-by: Stephen Smalley <sds@tycho.nsa.gov> > > This means we can also update the semodule man page to remove the gross > hack we came up with to workaround the absence of such support, > # Replace all modules with the ones in the current directory > $ semodule -b base.pp ‘semodule -l | awk ’{print "-i " $1 > ".pp"}’‘ BTW, any reason we wouldn't support the same thing for -u or -r? > > > > diff -r e37f9d8d6611 policycoreutils/semodule/semodule.c > > > --- a/policycoreutils/semodule/semodule.c Mon Jan 08 15:00:14 2007 -0500 > > > +++ b/policycoreutils/semodule/semodule.c Mon Jan 08 16:37:23 2007 -0500 > > > @@ -225,15 +225,6 @@ static void parse_command_line(int argc, > > > } > > > } > > > } > > > - if (optind < argc) { > > > - fprintf(stderr, "Extraneous arguments: "); > > > - while (optind < argc) > > > - fprintf(stderr, "%s", argv[optind++]); > > > - fprintf(stderr, "\n"); > > > - usage(argv[0]); > > > - cleanup(); > > > - exit(1); > > > - } > > > if ((build || reload) && num_commands) { > > > fprintf(stderr, > > > "build or reload should not be used with other commands\n"); > > > @@ -244,6 +235,24 @@ static void parse_command_line(int argc, > > > fprintf(stderr, "At least one mode must be specified.\n"); > > > usage(argv[0]); > > > exit(1); > > > + } > > > + > > > + if (optind < argc) { > > > + /* if -i was the last command treat any remaining > > > + * arguments as modules to allow 'semodule -i *.pp' to > > > + * work as expected. > > > + */ > > > + if (commands[num_commands - 1].mode == INSTALL_M) { > > > + while (optind < argc) > > > + set_mode(INSTALL_M, argv[optind++]); > > > + } else { > > > + fprintf(stderr, "unknown additional arguments:\n"); > > > + while (optind < argc) > > > + fprintf(stderr, " %s", argv[optind++]); > > > + fprintf(stderr, "\n\n"); > > > + usage(argv[0]); > > > + exit(1); > > > + } > > > } > > > } > > > > > > > > > > > > > -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [PATCH] allow semodule -i to accept list of modules 2007-01-09 20:43 ` Stephen Smalley @ 2007-01-09 21:52 ` Karl MacMillan 2007-01-10 13:46 ` Stephen Smalley 2007-01-09 21:53 ` Joshua Brindle 1 sibling, 1 reply; 13+ messages in thread From: Karl MacMillan @ 2007-01-09 21:52 UTC (permalink / raw) To: Stephen Smalley; +Cc: Joshua Brindle, SELinux List On Tue, 2007-01-09 at 15:43 -0500, Stephen Smalley wrote: > On Tue, 2007-01-09 at 15:17 -0500, Stephen Smalley wrote: > > On Tue, 2007-01-09 at 11:17 -0500, Joshua Brindle wrote: > > > Karl MacMillan wrote: > > > > The following patch allows semodule to handle a list of modules for > > > > installation (i.e., semodule -i *.pp now works). > > > > > > > > Signed-off-by: Karl MacMillan <kmacmillan@mentalrootkit.com> > > > > > > > > > > > Acked-By: Joshua Brindle <jbrindle@tresys.com> > > > > Acked-by: Stephen Smalley <sds@tycho.nsa.gov> > > > > This means we can also update the semodule man page to remove the gross > > hack we came up with to workaround the absence of such support, > > # Replace all modules with the ones in the current directory > > $ semodule -b base.pp ‘semodule -l | awk ’{print "-i " $1 > > ".pp"}’‘ > > BTW, any reason we wouldn't support the same thing for -u or -r? > Patch below. It is less useful for -r, but still potentially easier. As for the man page, that is updated but the command for updating from /usr/share/selinux/policyname still sucks. I came up with: ls *.pp | grep -Ev "base.pp|enableaudit.pp" | xargs /usr/sbin/semodule -i Gets rid of awk (so it is potentially easier for many), but it is longer. At some point someone should make semodule just do the right thing for a mixed list of modules and base modules. Of course, even that wouldn't work for the /usr/share/selinux directories because of enableaudit, so I give up. Signed-off-by: Karl MacMillan <kmacmillan@mentalrootkit.com> diff -r a70fbd24a437 policycoreutils/semodule/semodule.8 --- a/policycoreutils/semodule/semodule.8 Tue Jan 09 16:21:10 2007 -0500 +++ b/policycoreutils/semodule/semodule.8 Tue Jan 09 16:46:35 2007 -0500 @@ -59,7 +59,10 @@ be verbose # List non-base modules. $ semodule -l # Replace all modules with the ones in the current directory -$ semodule -b base.pp `semodule -l | awk '{print "-i " $1 ".pp"}'` +$ semodule -i *.pp +# Replace all modules with the ones in the current directory +# excluding base.pp and enableaudit.pp +$ ls *.pp | grep -Ev "base.pp|enableaudit.pp" | xargs /usr/sbin/semodule -i .fi .SH SEE ALSO diff -r a70fbd24a437 policycoreutils/semodule/semodule.c --- a/policycoreutils/semodule/semodule.c Tue Jan 09 16:21:10 2007 -0500 +++ b/policycoreutils/semodule/semodule.c Tue Jan 09 16:46:35 2007 -0500 @@ -238,13 +238,17 @@ static void parse_command_line(int argc, } if (optind < argc) { - /* if -i was the last command treat any remaining - * arguments as modules to allow 'semodule -i *.pp' to + int mode; + /* if -i/u/r was the last command treat any remaining + * arguments as args. Will allow 'semodule -i *.pp' to * work as expected. */ if (commands[num_commands - 1].mode == INSTALL_M) { - while (optind < argc) - set_mode(INSTALL_M, argv[optind++]); + mode = INSTALL_M; + } else if (commands[num_commands - 1].mode == UPGRADE_M) { + mode = UPGRADE_M; + } else if (commands[num_commands - 1].mode == REMOVE_M) { + mode = REMOVE_M; } else { fprintf(stderr, "unknown additional arguments:\n"); while (optind < argc) @@ -253,6 +257,8 @@ static void parse_command_line(int argc, usage(argv[0]); exit(1); } + while (optind < argc) + set_mode(mode, argv[optind++]); } } -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [PATCH] allow semodule -i to accept list of modules 2007-01-09 21:52 ` Karl MacMillan @ 2007-01-10 13:46 ` Stephen Smalley 2007-01-11 17:36 ` Stephen Smalley 0 siblings, 1 reply; 13+ messages in thread From: Stephen Smalley @ 2007-01-10 13:46 UTC (permalink / raw) To: Karl MacMillan; +Cc: Joshua Brindle, SELinux List On Tue, 2007-01-09 at 16:52 -0500, Karl MacMillan wrote: > On Tue, 2007-01-09 at 15:43 -0500, Stephen Smalley wrote: > > On Tue, 2007-01-09 at 15:17 -0500, Stephen Smalley wrote: > > > On Tue, 2007-01-09 at 11:17 -0500, Joshua Brindle wrote: > > > > Karl MacMillan wrote: > > > > > The following patch allows semodule to handle a list of modules for > > > > > installation (i.e., semodule -i *.pp now works). > > > > > > > > > > Signed-off-by: Karl MacMillan <kmacmillan@mentalrootkit.com> > > > > > > > > > > > > > > Acked-By: Joshua Brindle <jbrindle@tresys.com> > > > > > > Acked-by: Stephen Smalley <sds@tycho.nsa.gov> > > > > > > This means we can also update the semodule man page to remove the gross > > > hack we came up with to workaround the absence of such support, > > > # Replace all modules with the ones in the current directory > > > $ semodule -b base.pp ‘semodule -l | awk ’{print "-i " $1 > > > ".pp"}’‘ > > > > BTW, any reason we wouldn't support the same thing for -u or -r? > > > > Patch below. It is less useful for -r, but still potentially easier. As > for the man page, that is updated but the command for updating > from /usr/share/selinux/policyname still sucks. I came up with: > > ls *.pp | grep -Ev "base.pp|enableaudit.pp" | xargs /usr/sbin/semodule > -i That has a different effect. The original command replaces the base module and any already installed module (semodule -l output) with ones from the current directory as a single transaction without installing any new modules, while your command would replace any non-base modules and install any new ones, without updating the base module (which could very well fail due to dependencies on the base). Both actually seem wrong to me - we do want to install all of the non-base modules from the directory as per your command but we need to include the base in the same transaction. > Gets rid of awk (so it is potentially easier for many), but it is > longer. At some point someone should make semodule just do the right > thing for a mixed list of modules and base modules. Of course, even that > wouldn't work for the /usr/share/selinux directories because of > enableaudit, so I give up. > > Signed-off-by: Karl MacMillan <kmacmillan@mentalrootkit.com> > > diff -r a70fbd24a437 policycoreutils/semodule/semodule.8 > --- a/policycoreutils/semodule/semodule.8 Tue Jan 09 16:21:10 2007 -0500 > +++ b/policycoreutils/semodule/semodule.8 Tue Jan 09 16:46:35 2007 -0500 > @@ -59,7 +59,10 @@ be verbose > # List non-base modules. > $ semodule -l > # Replace all modules with the ones in the current directory > -$ semodule -b base.pp `semodule -l | awk '{print "-i " $1 ".pp"}'` > +$ semodule -i *.pp > +# Replace all modules with the ones in the current directory > +# excluding base.pp and enableaudit.pp > +$ ls *.pp | grep -Ev "base.pp|enableaudit.pp" | xargs /usr/sbin/semodule -i > .fi > > .SH SEE ALSO > diff -r a70fbd24a437 policycoreutils/semodule/semodule.c > --- a/policycoreutils/semodule/semodule.c Tue Jan 09 16:21:10 2007 -0500 > +++ b/policycoreutils/semodule/semodule.c Tue Jan 09 16:46:35 2007 -0500 > @@ -238,13 +238,17 @@ static void parse_command_line(int argc, > } > > if (optind < argc) { > - /* if -i was the last command treat any remaining > - * arguments as modules to allow 'semodule -i *.pp' to > + int mode; > + /* if -i/u/r was the last command treat any remaining > + * arguments as args. Will allow 'semodule -i *.pp' to > * work as expected. > */ > if (commands[num_commands - 1].mode == INSTALL_M) { > - while (optind < argc) > - set_mode(INSTALL_M, argv[optind++]); > + mode = INSTALL_M; > + } else if (commands[num_commands - 1].mode == UPGRADE_M) { > + mode = UPGRADE_M; > + } else if (commands[num_commands - 1].mode == REMOVE_M) { > + mode = REMOVE_M; > } else { > fprintf(stderr, "unknown additional arguments:\n"); > while (optind < argc) > @@ -253,6 +257,8 @@ static void parse_command_line(int argc, > usage(argv[0]); > exit(1); > } > + while (optind < argc) > + set_mode(mode, argv[optind++]); > } > } > > > -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [PATCH] allow semodule -i to accept list of modules 2007-01-10 13:46 ` Stephen Smalley @ 2007-01-11 17:36 ` Stephen Smalley 0 siblings, 0 replies; 13+ messages in thread From: Stephen Smalley @ 2007-01-11 17:36 UTC (permalink / raw) To: Karl MacMillan; +Cc: Joshua Brindle, SELinux List On Wed, 2007-01-10 at 08:46 -0500, Stephen Smalley wrote: > On Tue, 2007-01-09 at 16:52 -0500, Karl MacMillan wrote: > > On Tue, 2007-01-09 at 15:43 -0500, Stephen Smalley wrote: > > > On Tue, 2007-01-09 at 15:17 -0500, Stephen Smalley wrote: > > > > On Tue, 2007-01-09 at 11:17 -0500, Joshua Brindle wrote: > > > > > Karl MacMillan wrote: > > > > > > The following patch allows semodule to handle a list of modules for > > > > > > installation (i.e., semodule -i *.pp now works). > > > > > > > > > > > > Signed-off-by: Karl MacMillan <kmacmillan@mentalrootkit.com> > > > > > > > > > > > > > > > > > Acked-By: Joshua Brindle <jbrindle@tresys.com> > > > > > > > > Acked-by: Stephen Smalley <sds@tycho.nsa.gov> > > > > > > > > This means we can also update the semodule man page to remove the gross > > > > hack we came up with to workaround the absence of such support, > > > > # Replace all modules with the ones in the current directory > > > > $ semodule -b base.pp ‘semodule -l | awk ’{print "-i " $1 > > > > ".pp"}’‘ > > > > > > BTW, any reason we wouldn't support the same thing for -u or -r? > > > > > > > Patch below. It is less useful for -r, but still potentially easier. As > > for the man page, that is updated but the command for updating > > from /usr/share/selinux/policyname still sucks. I came up with: > > > > ls *.pp | grep -Ev "base.pp|enableaudit.pp" | xargs /usr/sbin/semodule > > -i > > That has a different effect. The original command replaces the base > module and any already installed module (semodule -l output) with ones > from the current directory as a single transaction without installing > any new modules, while your command would replace any non-base modules > and install any new ones, without updating the base module (which could > very well fail due to dependencies on the base). Both actually seem > wrong to me - we do want to install all of the non-base modules from the > directory as per your command but we need to include the base in the > same transaction. > > > Gets rid of awk (so it is potentially easier for many), but it is > > longer. At some point someone should make semodule just do the right > > thing for a mixed list of modules and base modules. Of course, even that > > wouldn't work for the /usr/share/selinux directories because of > > enableaudit, so I give up. > > > > Signed-off-by: Karl MacMillan <kmacmillan@mentalrootkit.com> > > > > diff -r a70fbd24a437 policycoreutils/semodule/semodule.8 > > --- a/policycoreutils/semodule/semodule.8 Tue Jan 09 16:21:10 2007 -0500 > > +++ b/policycoreutils/semodule/semodule.8 Tue Jan 09 16:46:35 2007 -0500 > > @@ -59,7 +59,10 @@ be verbose > > # List non-base modules. > > $ semodule -l > > # Replace all modules with the ones in the current directory > > -$ semodule -b base.pp `semodule -l | awk '{print "-i " $1 ".pp"}'` > > +$ semodule -i *.pp > > +# Replace all modules with the ones in the current directory > > +# excluding base.pp and enableaudit.pp > > +$ ls *.pp | grep -Ev "base.pp|enableaudit.pp" | xargs /usr/sbin/semodule -i > > .fi > > > > .SH SEE ALSO > > diff -r a70fbd24a437 policycoreutils/semodule/semodule.c > > --- a/policycoreutils/semodule/semodule.c Tue Jan 09 16:21:10 2007 -0500 > > +++ b/policycoreutils/semodule/semodule.c Tue Jan 09 16:46:35 2007 -0500 > > @@ -238,13 +238,17 @@ static void parse_command_line(int argc, > > } > > > > if (optind < argc) { > > - /* if -i was the last command treat any remaining > > - * arguments as modules to allow 'semodule -i *.pp' to > > + int mode; > > + /* if -i/u/r was the last command treat any remaining > > + * arguments as args. Will allow 'semodule -i *.pp' to > > * work as expected. > > */ > > if (commands[num_commands - 1].mode == INSTALL_M) { > > - while (optind < argc) > > - set_mode(INSTALL_M, argv[optind++]); > > + mode = INSTALL_M; > > + } else if (commands[num_commands - 1].mode == UPGRADE_M) { > > + mode = UPGRADE_M; > > + } else if (commands[num_commands - 1].mode == REMOVE_M) { > > + mode = REMOVE_M; > > } else { > > fprintf(stderr, "unknown additional arguments:\n"); > > while (optind < argc) > > @@ -253,6 +257,8 @@ static void parse_command_line(int argc, > > usage(argv[0]); > > exit(1); > > } > > + while (optind < argc) > > + set_mode(mode, argv[optind++]); > > } > > } > > Merged with some changes to the man page in policycoreutils 1.33.12. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 13+ messages in thread
* RE: [PATCH] allow semodule -i to accept list of modules 2007-01-09 20:43 ` Stephen Smalley 2007-01-09 21:52 ` Karl MacMillan @ 2007-01-09 21:53 ` Joshua Brindle 2007-01-10 13:29 ` Stephen Smalley 1 sibling, 1 reply; 13+ messages in thread From: Joshua Brindle @ 2007-01-09 21:53 UTC (permalink / raw) To: Stephen Smalley; +Cc: Karl MacMillan, SELinux List > From: Stephen Smalley [mailto:sds@tycho.nsa.gov] > > On Tue, 2007-01-09 at 15:17 -0500, Stephen Smalley wrote: > > On Tue, 2007-01-09 at 11:17 -0500, Joshua Brindle wrote: > > > Karl MacMillan wrote: > > > > The following patch allows semodule to handle a list of modules > > > > for installation (i.e., semodule -i *.pp now works). > > > > > > > > Signed-off-by: Karl MacMillan <kmacmillan@mentalrootkit.com> > > > > > > > > > > > Acked-By: Joshua Brindle <jbrindle@tresys.com> > > > > Acked-by: Stephen Smalley <sds@tycho.nsa.gov> > > > > This means we can also update the semodule man page to remove the > > gross hack we came up with to workaround the absence of > such support, > > # Replace all modules with the ones in the current directory > > $ semodule -b base.pp 'semodule -l | awk '{print "-i " $1 > > ".pp"}'' > > BTW, any reason we wouldn't support the same thing for -u or -r? > -r wouldn't work well because it wants the name of the module (eg., apache) instead of the filename (apache.pp) > > > > > > diff -r e37f9d8d6611 policycoreutils/semodule/semodule.c > > > > --- a/policycoreutils/semodule/semodule.c Mon Jan > 08 15:00:14 2007 -0500 > > > > +++ b/policycoreutils/semodule/semodule.c Mon Jan > 08 16:37:23 2007 -0500 > > > > @@ -225,15 +225,6 @@ static void parse_command_line(int argc, > > > > } > > > > } > > > > } > > > > - if (optind < argc) { > > > > - fprintf(stderr, "Extraneous arguments: "); > > > > - while (optind < argc) > > > > - fprintf(stderr, "%s", argv[optind++]); > > > > - fprintf(stderr, "\n"); > > > > - usage(argv[0]); > > > > - cleanup(); > > > > - exit(1); > > > > - } > > > > if ((build || reload) && num_commands) { > > > > fprintf(stderr, > > > > "build or reload should not be > used with other commands\n"); > > > > @@ -244,6 +235,24 @@ static void parse_command_line(int argc, > > > > fprintf(stderr, "At least one mode must > be specified.\n"); > > > > usage(argv[0]); > > > > exit(1); > > > > + } > > > > + > > > > + if (optind < argc) { > > > > + /* if -i was the last command treat any > remaining > > > > + * arguments as modules to allow > 'semodule -i *.pp' to > > > > + * work as expected. > > > > + */ > > > > + if (commands[num_commands - 1].mode == > INSTALL_M) { > > > > + while (optind < argc) > > > > + set_mode(INSTALL_M, > argv[optind++]); > > > > + } else { > > > > + fprintf(stderr, "unknown > additional arguments:\n"); > > > > + while (optind < argc) > > > > + fprintf(stderr, " %s", > argv[optind++]); > > > > + fprintf(stderr, "\n\n"); > > > > + usage(argv[0]); > > > > + exit(1); > > > > + } > > > > } > > > > } > > > > > > > > > > > > > > > > > > > -- > Stephen Smalley > National Security Agency > > -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 13+ messages in thread
* RE: [PATCH] allow semodule -i to accept list of modules 2007-01-09 21:53 ` Joshua Brindle @ 2007-01-10 13:29 ` Stephen Smalley 0 siblings, 0 replies; 13+ messages in thread From: Stephen Smalley @ 2007-01-10 13:29 UTC (permalink / raw) To: Joshua Brindle; +Cc: Karl MacMillan, SELinux List On Tue, 2007-01-09 at 16:53 -0500, Joshua Brindle wrote: > > From: Stephen Smalley [mailto:sds@tycho.nsa.gov] > > > > On Tue, 2007-01-09 at 15:17 -0500, Stephen Smalley wrote: > > > On Tue, 2007-01-09 at 11:17 -0500, Joshua Brindle wrote: > > > > Karl MacMillan wrote: > > > > > The following patch allows semodule to handle a list of modules > > > > > for installation (i.e., semodule -i *.pp now works). > > > > > > > > > > Signed-off-by: Karl MacMillan <kmacmillan@mentalrootkit.com> > > > > > > > > > > > > > > Acked-By: Joshua Brindle <jbrindle@tresys.com> > > > > > > Acked-by: Stephen Smalley <sds@tycho.nsa.gov> > > > > > > This means we can also update the semodule man page to remove the > > > gross hack we came up with to workaround the absence of > > such support, > > > # Replace all modules with the ones in the current directory > > > $ semodule -b base.pp 'semodule -l | awk '{print "-i " $1 > > > ".pp"}'' > > > > BTW, any reason we wouldn't support the same thing for -u or -r? > > > > -r wouldn't work well because it wants the name of the module (eg., > apache) instead of the filename (apache.pp) Still useful for e.g. removing a list of modules specified in a file, ala semodule -r `cat killlist` -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 13+ messages in thread
end of thread, other threads:[~2007-01-11 17:36 UTC | newest] Thread overview: 13+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2007-01-08 21:43 [PATCH] allow semodule -i to accept list of modules Karl MacMillan 2007-01-09 4:08 ` Joshua Brindle 2007-01-09 14:34 ` Karl MacMillan 2007-01-09 15:10 ` Joshua Brindle 2007-01-09 15:27 ` Karl MacMillan 2007-01-09 16:17 ` Joshua Brindle 2007-01-09 20:17 ` Stephen Smalley 2007-01-09 20:43 ` Stephen Smalley 2007-01-09 21:52 ` Karl MacMillan 2007-01-10 13:46 ` Stephen Smalley 2007-01-11 17:36 ` Stephen Smalley 2007-01-09 21:53 ` Joshua Brindle 2007-01-10 13:29 ` Stephen Smalley
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.