[PATCH] allow semodule -i to accept list of modules

[PATCH] allow semodule -i to accept list of modules

[Karl MacMillan]

The following patch allows semodule to handle a list of modules for
installation (i.e., semodule -i *.pp now works).

Signed-off-by: Karl MacMillan <kmacmillan@mentalrootkit.com>

diff -r e37f9d8d6611 policycoreutils/semodule/semodule.c
--- a/policycoreutils/semodule/semodule.c	Mon Jan 08 15:00:14 2007 -0500
+++ b/policycoreutils/semodule/semodule.c	Mon Jan 08 16:37:23 2007 -0500
@@ -225,15 +225,6 @@ static void parse_command_line(int argc,
 			}
 		}
 	}
-	if (optind < argc) {
-		fprintf(stderr, "Extraneous arguments:  ");
-		while (optind < argc)
-			fprintf(stderr, "%s", argv[optind++]);
-		fprintf(stderr, "\n");
-		usage(argv[0]);
-		cleanup();
-		exit(1);
-	}
 	if ((build || reload) && num_commands) {
 		fprintf(stderr,
 			"build or reload should not be used with other commands\n");
@@ -244,6 +235,24 @@ static void parse_command_line(int argc,
 		fprintf(stderr, "At least one mode must be specified.\n");
 		usage(argv[0]);
 		exit(1);
+	}
+
+	if (optind < argc) {
+		/* if -i was the last command treat any remaining
+		 * arguments as modules to allow 'semodule -i *.pp' to
+		 * work as expected.
+		 */
+		if (commands[num_commands - 1].mode == INSTALL_M) {
+			while (optind < argc)
+				set_mode(INSTALL_M, argv[optind++]);
+		} else {
+			fprintf(stderr, "unknown additional arguments:\n");
+			while (optind < argc)
+				fprintf(stderr, " %s", argv[optind++]);
+			fprintf(stderr, "\n\n");
+			usage(argv[0]);
+			exit(1);
+		}
 	}
 }
 



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH] allow semodule -i to accept list of modules

[Joshua Brindle]

Karl MacMillan wrote:
> The following patch allows semodule to handle a list of modules for
> installation (i.e., semodule -i *.pp now works).
>
>   
Hrm, while the current syntax isn't ideal I don't think its the best 
idea to change it abruptly. maybe you could make -I use the rest of the 
arguments or something otherwise this will break any number of rpm's, 
portage, the refpolicy makefiles and so on.

> Signed-off-by: Karl MacMillan <kmacmillan@mentalrootkit.com>
>
> diff -r e37f9d8d6611 policycoreutils/semodule/semodule.c
> --- a/policycoreutils/semodule/semodule.c	Mon Jan 08 15:00:14 2007 -0500
> +++ b/policycoreutils/semodule/semodule.c	Mon Jan 08 16:37:23 2007 -0500
> @@ -225,15 +225,6 @@ static void parse_command_line(int argc,
>  			}
>  		}
>  	}
> -	if (optind < argc) {
> -		fprintf(stderr, "Extraneous arguments:  ");
> -		while (optind < argc)
> -			fprintf(stderr, "%s", argv[optind++]);
> -		fprintf(stderr, "\n");
> -		usage(argv[0]);
> -		cleanup();
> -		exit(1);
> -	}
>  	if ((build || reload) && num_commands) {
>  		fprintf(stderr,
>  			"build or reload should not be used with other commands\n");
> @@ -244,6 +235,24 @@ static void parse_command_line(int argc,
>  		fprintf(stderr, "At least one mode must be specified.\n");
>  		usage(argv[0]);
>  		exit(1);
> +	}
> +
> +	if (optind < argc) {
> +		/* if -i was the last command treat any remaining
> +		 * arguments as modules to allow 'semodule -i *.pp' to
> +		 * work as expected.
> +		 */
> +		if (commands[num_commands - 1].mode == INSTALL_M) {
> +			while (optind < argc)
> +				set_mode(INSTALL_M, argv[optind++]);
> +		} else {
> +			fprintf(stderr, "unknown additional arguments:\n");
> +			while (optind < argc)
> +				fprintf(stderr, " %s", argv[optind++]);
> +			fprintf(stderr, "\n\n");
> +			usage(argv[0]);
> +			exit(1);
> +		}
>  	}
>  }
>  
>
>
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
>
>   



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH] allow semodule -i to accept list of modules

[Karl MacMillan]

Joshua Brindle wrote:
> Karl MacMillan wrote:
>> The following patch allows semodule to handle a list of modules for
>> installation (i.e., semodule -i *.pp now works).
>>
>>   
> Hrm, while the current syntax isn't ideal I don't think its the best 
> idea to change it abruptly. maybe you could make -I use the rest of the 
> arguments or something otherwise this will break any number of rpm's, 
> portage, the refpolicy makefiles and so on.
> 

I don't see how this could cause breakage as it doesn't change how any 
currently valid option sequence is processed. Instead, it makes invalid 
syntax valid (if you look closely at the patch, you can see that I am 
actually changing a fatal error path - so what I describe is guaranteed 
to be true).

I prefer this approach because I think it is the least surprising. I 
constantly try the syntax this patch allows only to remember that it 
doesn't work.

Karl

>> Signed-off-by: Karl MacMillan <kmacmillan@mentalrootkit.com>
>>
>> diff -r e37f9d8d6611 policycoreutils/semodule/semodule.c
>> --- a/policycoreutils/semodule/semodule.c    Mon Jan 08 15:00:14 2007 
>> -0500
>> +++ b/policycoreutils/semodule/semodule.c    Mon Jan 08 16:37:23 2007 
>> -0500
>> @@ -225,15 +225,6 @@ static void parse_command_line(int argc,
>>              }
>>          }
>>      }
>> -    if (optind < argc) {
>> -        fprintf(stderr, "Extraneous arguments:  ");
>> -        while (optind < argc)
>> -            fprintf(stderr, "%s", argv[optind++]);
>> -        fprintf(stderr, "\n");
>> -        usage(argv[0]);
>> -        cleanup();
>> -        exit(1);
>> -    }
>>      if ((build || reload) && num_commands) {
>>          fprintf(stderr,
>>              "build or reload should not be used with other commands\n");
>> @@ -244,6 +235,24 @@ static void parse_command_line(int argc,
>>          fprintf(stderr, "At least one mode must be specified.\n");
>>          usage(argv[0]);
>>          exit(1);
>> +    }
>> +
>> +    if (optind < argc) {
>> +        /* if -i was the last command treat any remaining
>> +         * arguments as modules to allow 'semodule -i *.pp' to
>> +         * work as expected.
>> +         */
>> +        if (commands[num_commands - 1].mode == INSTALL_M) {
>> +            while (optind < argc)
>> +                set_mode(INSTALL_M, argv[optind++]);
>> +        } else {
>> +            fprintf(stderr, "unknown additional arguments:\n");
>> +            while (optind < argc)
>> +                fprintf(stderr, " %s", argv[optind++]);
>> +            fprintf(stderr, "\n\n");
>> +            usage(argv[0]);
>> +            exit(1);
>> +        }
>>      }
>>  }
>>  
>>
>>
>>
>> -- 
>> This message was distributed to subscribers of the selinux mailing list.
>> If you no longer wish to subscribe, send mail to 
>> majordomo@tycho.nsa.gov with
>> the words "unsubscribe selinux" without quotes as the message.
>>
>>   
> 
> 


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH] allow semodule -i to accept list of modules

[Joshua Brindle]

Karl MacMillan wrote:
> Joshua Brindle wrote:
>> Karl MacMillan wrote:
>>> The following patch allows semodule to handle a list of modules for
>>> installation (i.e., semodule -i *.pp now works).
>>>
>>>   
>> Hrm, while the current syntax isn't ideal I don't think its the best 
>> idea to change it abruptly. maybe you could make -I use the rest of 
>> the arguments or something otherwise this will break any number of 
>> rpm's, portage, the refpolicy makefiles and so on.
>>
> 
> I don't see how this could cause breakage as it doesn't change how any 
> currently valid option sequence is processed. Instead, it makes invalid 
> syntax valid (if you look closely at the patch, you can see that I am 
> actually changing a fatal error path - so what I describe is guaranteed 
> to be true).
> 
> I prefer this approach because I think it is the least surprising. I 
> constantly try the syntax this patch allows only to remember that it 
> doesn't work.
> 

oops, you are right.. do you think having 2 distinct syntaxes for the 
same argument will be less surprising than splitting them up?


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH] allow semodule -i to accept list of modules

[Karl MacMillan]

Joshua Brindle wrote:
> Karl MacMillan wrote:
>> Joshua Brindle wrote:
>>> Karl MacMillan wrote:
>>>> The following patch allows semodule to handle a list of modules for
>>>> installation (i.e., semodule -i *.pp now works).
>>>>
>>>>   
>>> Hrm, while the current syntax isn't ideal I don't think its the best 
>>> idea to change it abruptly. maybe you could make -I use the rest of 
>>> the arguments or something otherwise this will break any number of 
>>> rpm's, portage, the refpolicy makefiles and so on.
>>>
>>
>> I don't see how this could cause breakage as it doesn't change how any 
>> currently valid option sequence is processed. Instead, it makes 
>> invalid syntax valid (if you look closely at the patch, you can see 
>> that I am actually changing a fatal error path - so what I describe is 
>> guaranteed to be true).
>>
>> I prefer this approach because I think it is the least surprising. I 
>> constantly try the syntax this patch allows only to remember that it 
>> doesn't work.
>>
> 
> oops, you are right.. do you think having 2 distinct syntaxes for the 
> same argument will be less surprising than splitting them up?
> 

No. I think that common current usage is 'semodule -i somemodule.pp' and 
'semodule -i *.pp' (or some other glob) is very natural. I doubt that 
many people actually use 'semodule -i foo.pp -i bar.pp' besides some 
scripts.

Karl

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH] allow semodule -i to accept list of modules

[Joshua Brindle]

Karl MacMillan wrote:
> The following patch allows semodule to handle a list of modules for
> installation (i.e., semodule -i *.pp now works).
>
> Signed-off-by: Karl MacMillan <kmacmillan@mentalrootkit.com>
>
>   
Acked-By: Joshua Brindle <jbrindle@tresys.com>
> diff -r e37f9d8d6611 policycoreutils/semodule/semodule.c
> --- a/policycoreutils/semodule/semodule.c	Mon Jan 08 15:00:14 2007 -0500
> +++ b/policycoreutils/semodule/semodule.c	Mon Jan 08 16:37:23 2007 -0500
> @@ -225,15 +225,6 @@ static void parse_command_line(int argc,
>  			}
>  		}
>  	}
> -	if (optind < argc) {
> -		fprintf(stderr, "Extraneous arguments:  ");
> -		while (optind < argc)
> -			fprintf(stderr, "%s", argv[optind++]);
> -		fprintf(stderr, "\n");
> -		usage(argv[0]);
> -		cleanup();
> -		exit(1);
> -	}
>  	if ((build || reload) && num_commands) {
>  		fprintf(stderr,
>  			"build or reload should not be used with other commands\n");
> @@ -244,6 +235,24 @@ static void parse_command_line(int argc,
>  		fprintf(stderr, "At least one mode must be specified.\n");
>  		usage(argv[0]);
>  		exit(1);
> +	}
> +
> +	if (optind < argc) {
> +		/* if -i was the last command treat any remaining
> +		 * arguments as modules to allow 'semodule -i *.pp' to
> +		 * work as expected.
> +		 */
> +		if (commands[num_commands - 1].mode == INSTALL_M) {
> +			while (optind < argc)
> +				set_mode(INSTALL_M, argv[optind++]);
> +		} else {
> +			fprintf(stderr, "unknown additional arguments:\n");
> +			while (optind < argc)
> +				fprintf(stderr, " %s", argv[optind++]);
> +			fprintf(stderr, "\n\n");
> +			usage(argv[0]);
> +			exit(1);
> +		}
>  	}
>  }
>  
>
>
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
>
>   



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH] allow semodule -i to accept list of modules

[Stephen Smalley]

On Tue, 2007-01-09 at 11:17 -0500, Joshua Brindle wrote:
> Karl MacMillan wrote:
> > The following patch allows semodule to handle a list of modules for
> > installation (i.e., semodule -i *.pp now works).
> >
> > Signed-off-by: Karl MacMillan <kmacmillan@mentalrootkit.com>
> >
> >   
> Acked-By: Joshua Brindle <jbrindle@tresys.com>

Acked-by:  Stephen Smalley <sds@tycho.nsa.gov>

This means we can also update the semodule man page to remove the gross
hack we came up with to workaround the absence of such support,
       # Replace all modules with the ones in the current directory
       $ semodule -b base.pp ‘semodule -l | awk ’{print "-i " $1
".pp"}’‘


> > diff -r e37f9d8d6611 policycoreutils/semodule/semodule.c
> > --- a/policycoreutils/semodule/semodule.c	Mon Jan 08 15:00:14 2007 -0500
> > +++ b/policycoreutils/semodule/semodule.c	Mon Jan 08 16:37:23 2007 -0500
> > @@ -225,15 +225,6 @@ static void parse_command_line(int argc,
> >  			}
> >  		}
> >  	}
> > -	if (optind < argc) {
> > -		fprintf(stderr, "Extraneous arguments:  ");
> > -		while (optind < argc)
> > -			fprintf(stderr, "%s", argv[optind++]);
> > -		fprintf(stderr, "\n");
> > -		usage(argv[0]);
> > -		cleanup();
> > -		exit(1);
> > -	}
> >  	if ((build || reload) && num_commands) {
> >  		fprintf(stderr,
> >  			"build or reload should not be used with other commands\n");
> > @@ -244,6 +235,24 @@ static void parse_command_line(int argc,
> >  		fprintf(stderr, "At least one mode must be specified.\n");
> >  		usage(argv[0]);
> >  		exit(1);
> > +	}
> > +
> > +	if (optind < argc) {
> > +		/* if -i was the last command treat any remaining
> > +		 * arguments as modules to allow 'semodule -i *.pp' to
> > +		 * work as expected.
> > +		 */
> > +		if (commands[num_commands - 1].mode == INSTALL_M) {
> > +			while (optind < argc)
> > +				set_mode(INSTALL_M, argv[optind++]);
> > +		} else {
> > +			fprintf(stderr, "unknown additional arguments:\n");
> > +			while (optind < argc)
> > +				fprintf(stderr, " %s", argv[optind++]);
> > +			fprintf(stderr, "\n\n");
> > +			usage(argv[0]);
> > +			exit(1);
> > +		}
> >  	}
> >  }
> >  
> >
> >
> >

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH] allow semodule -i to accept list of modules

[Stephen Smalley]

On Tue, 2007-01-09 at 15:17 -0500, Stephen Smalley wrote:
> On Tue, 2007-01-09 at 11:17 -0500, Joshua Brindle wrote:
> > Karl MacMillan wrote:
> > > The following patch allows semodule to handle a list of modules for
> > > installation (i.e., semodule -i *.pp now works).
> > >
> > > Signed-off-by: Karl MacMillan <kmacmillan@mentalrootkit.com>
> > >
> > >   
> > Acked-By: Joshua Brindle <jbrindle@tresys.com>
> 
> Acked-by:  Stephen Smalley <sds@tycho.nsa.gov>
> 
> This means we can also update the semodule man page to remove the gross
> hack we came up with to workaround the absence of such support,
>        # Replace all modules with the ones in the current directory
>        $ semodule -b base.pp ‘semodule -l | awk ’{print "-i " $1
> ".pp"}’‘

BTW, any reason we wouldn't support the same thing for -u or -r?

> 
> > > diff -r e37f9d8d6611 policycoreutils/semodule/semodule.c
> > > --- a/policycoreutils/semodule/semodule.c	Mon Jan 08 15:00:14 2007 -0500
> > > +++ b/policycoreutils/semodule/semodule.c	Mon Jan 08 16:37:23 2007 -0500
> > > @@ -225,15 +225,6 @@ static void parse_command_line(int argc,
> > >  			}
> > >  		}
> > >  	}
> > > -	if (optind < argc) {
> > > -		fprintf(stderr, "Extraneous arguments:  ");
> > > -		while (optind < argc)
> > > -			fprintf(stderr, "%s", argv[optind++]);
> > > -		fprintf(stderr, "\n");
> > > -		usage(argv[0]);
> > > -		cleanup();
> > > -		exit(1);
> > > -	}
> > >  	if ((build || reload) && num_commands) {
> > >  		fprintf(stderr,
> > >  			"build or reload should not be used with other commands\n");
> > > @@ -244,6 +235,24 @@ static void parse_command_line(int argc,
> > >  		fprintf(stderr, "At least one mode must be specified.\n");
> > >  		usage(argv[0]);
> > >  		exit(1);
> > > +	}
> > > +
> > > +	if (optind < argc) {
> > > +		/* if -i was the last command treat any remaining
> > > +		 * arguments as modules to allow 'semodule -i *.pp' to
> > > +		 * work as expected.
> > > +		 */
> > > +		if (commands[num_commands - 1].mode == INSTALL_M) {
> > > +			while (optind < argc)
> > > +				set_mode(INSTALL_M, argv[optind++]);
> > > +		} else {
> > > +			fprintf(stderr, "unknown additional arguments:\n");
> > > +			while (optind < argc)
> > > +				fprintf(stderr, " %s", argv[optind++]);
> > > +			fprintf(stderr, "\n\n");
> > > +			usage(argv[0]);
> > > +			exit(1);
> > > +		}
> > >  	}
> > >  }
> > >  
> > >
> > >
> > >
> 
-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH] allow semodule -i to accept list of modules

[Karl MacMillan]

On Tue, 2007-01-09 at 15:43 -0500, Stephen Smalley wrote:
> On Tue, 2007-01-09 at 15:17 -0500, Stephen Smalley wrote:
> > On Tue, 2007-01-09 at 11:17 -0500, Joshua Brindle wrote:
> > > Karl MacMillan wrote:
> > > > The following patch allows semodule to handle a list of modules for
> > > > installation (i.e., semodule -i *.pp now works).
> > > >
> > > > Signed-off-by: Karl MacMillan <kmacmillan@mentalrootkit.com>
> > > >
> > > >   
> > > Acked-By: Joshua Brindle <jbrindle@tresys.com>
> > 
> > Acked-by:  Stephen Smalley <sds@tycho.nsa.gov>
> > 
> > This means we can also update the semodule man page to remove the gross
> > hack we came up with to workaround the absence of such support,
> >        # Replace all modules with the ones in the current directory
> >        $ semodule -b base.pp ‘semodule -l | awk ’{print "-i " $1
> > ".pp"}’‘
> 
> BTW, any reason we wouldn't support the same thing for -u or -r?
> 

Patch below. It is less useful for -r, but still potentially easier. As
for the man page, that is updated but the command for updating
from /usr/share/selinux/policyname still sucks. I came up with:

ls *.pp | grep -Ev "base.pp|enableaudit.pp" | xargs /usr/sbin/semodule
-i

Gets rid of awk (so it is potentially easier for many), but it is
longer. At some point someone should make semodule just do the right
thing for a mixed list of modules and base modules. Of course, even that
wouldn't work for the /usr/share/selinux directories because of
enableaudit, so I give up.

Signed-off-by: Karl MacMillan <kmacmillan@mentalrootkit.com>

diff -r a70fbd24a437 policycoreutils/semodule/semodule.8
--- a/policycoreutils/semodule/semodule.8	Tue Jan 09 16:21:10 2007 -0500
+++ b/policycoreutils/semodule/semodule.8	Tue Jan 09 16:46:35 2007 -0500
@@ -59,7 +59,10 @@ be verbose
 # List non-base modules.
 $ semodule -l
 # Replace all modules with the ones in the current directory
-$ semodule -b base.pp `semodule -l | awk '{print "-i " $1 ".pp"}'`
+$ semodule -i *.pp
+# Replace all modules with the ones in the current directory
+# excluding base.pp and enableaudit.pp
+$ ls *.pp | grep -Ev "base.pp|enableaudit.pp" | xargs /usr/sbin/semodule -i
 .fi
 
 .SH SEE ALSO
diff -r a70fbd24a437 policycoreutils/semodule/semodule.c
--- a/policycoreutils/semodule/semodule.c	Tue Jan 09 16:21:10 2007 -0500
+++ b/policycoreutils/semodule/semodule.c	Tue Jan 09 16:46:35 2007 -0500
@@ -238,13 +238,17 @@ static void parse_command_line(int argc,
 	}
 
 	if (optind < argc) {
-		/* if -i was the last command treat any remaining
-		 * arguments as modules to allow 'semodule -i *.pp' to
+		int mode;
+		/* if -i/u/r was the last command treat any remaining
+		 * arguments as args. Will allow 'semodule -i *.pp' to
 		 * work as expected.
 		 */
 		if (commands[num_commands - 1].mode == INSTALL_M) {
-			while (optind < argc)
-				set_mode(INSTALL_M, argv[optind++]);
+			mode = INSTALL_M;
+		} else if (commands[num_commands - 1].mode == UPGRADE_M) {
+			mode = UPGRADE_M;
+		} else if (commands[num_commands - 1].mode == REMOVE_M) {
+			mode = REMOVE_M;
 		} else {
 			fprintf(stderr, "unknown additional arguments:\n");
 			while (optind < argc)
@@ -253,6 +257,8 @@ static void parse_command_line(int argc,
 			usage(argv[0]);
 			exit(1);
 		}
+		while (optind < argc)
+			set_mode(mode, argv[optind++]);
 	}
 }
 




--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

RE: [PATCH] allow semodule -i to accept list of modules

[Joshua Brindle]

> From: Stephen Smalley [mailto:sds@tycho.nsa.gov] 
> 
> On Tue, 2007-01-09 at 15:17 -0500, Stephen Smalley wrote:
> > On Tue, 2007-01-09 at 11:17 -0500, Joshua Brindle wrote:
> > > Karl MacMillan wrote:
> > > > The following patch allows semodule to handle a list of modules 
> > > > for installation (i.e., semodule -i *.pp now works).
> > > >
> > > > Signed-off-by: Karl MacMillan <kmacmillan@mentalrootkit.com>
> > > >
> > > >   
> > > Acked-By: Joshua Brindle <jbrindle@tresys.com>
> > 
> > Acked-by:  Stephen Smalley <sds@tycho.nsa.gov>
> > 
> > This means we can also update the semodule man page to remove the 
> > gross hack we came up with to workaround the absence of 
> such support,
> >        # Replace all modules with the ones in the current directory
> >        $ semodule -b base.pp 'semodule -l | awk '{print "-i " $1 
> > ".pp"}''
> 
> BTW, any reason we wouldn't support the same thing for -u or -r?
> 

-r wouldn't work well because it wants the name of the module (eg.,
apache) instead of the filename (apache.pp)

> > 
> > > > diff -r e37f9d8d6611 policycoreutils/semodule/semodule.c
> > > > --- a/policycoreutils/semodule/semodule.c	Mon Jan 
> 08 15:00:14 2007 -0500
> > > > +++ b/policycoreutils/semodule/semodule.c	Mon Jan 
> 08 16:37:23 2007 -0500
> > > > @@ -225,15 +225,6 @@ static void parse_command_line(int argc,
> > > >  			}
> > > >  		}
> > > >  	}
> > > > -	if (optind < argc) {
> > > > -		fprintf(stderr, "Extraneous arguments:  ");
> > > > -		while (optind < argc)
> > > > -			fprintf(stderr, "%s", argv[optind++]);
> > > > -		fprintf(stderr, "\n");
> > > > -		usage(argv[0]);
> > > > -		cleanup();
> > > > -		exit(1);
> > > > -	}
> > > >  	if ((build || reload) && num_commands) {
> > > >  		fprintf(stderr,
> > > >  			"build or reload should not be 
> used with other commands\n"); 
> > > > @@ -244,6 +235,24 @@ static void parse_command_line(int argc,
> > > >  		fprintf(stderr, "At least one mode must 
> be specified.\n");
> > > >  		usage(argv[0]);
> > > >  		exit(1);
> > > > +	}
> > > > +
> > > > +	if (optind < argc) {
> > > > +		/* if -i was the last command treat any 
> remaining
> > > > +		 * arguments as modules to allow 
> 'semodule -i *.pp' to
> > > > +		 * work as expected.
> > > > +		 */
> > > > +		if (commands[num_commands - 1].mode == 
> INSTALL_M) {
> > > > +			while (optind < argc)
> > > > +				set_mode(INSTALL_M, 
> argv[optind++]);
> > > > +		} else {
> > > > +			fprintf(stderr, "unknown 
> additional arguments:\n");
> > > > +			while (optind < argc)
> > > > +				fprintf(stderr, " %s", 
> argv[optind++]);
> > > > +			fprintf(stderr, "\n\n");
> > > > +			usage(argv[0]);
> > > > +			exit(1);
> > > > +		}
> > > >  	}
> > > >  }
> > > >  
> > > >
> > > >
> > > >
> > 
> --
> Stephen Smalley
> National Security Agency
> 
> 


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

RE: [PATCH] allow semodule -i to accept list of modules

[Stephen Smalley]

On Tue, 2007-01-09 at 16:53 -0500, Joshua Brindle wrote:
> > From: Stephen Smalley [mailto:sds@tycho.nsa.gov] 
> > 
> > On Tue, 2007-01-09 at 15:17 -0500, Stephen Smalley wrote:
> > > On Tue, 2007-01-09 at 11:17 -0500, Joshua Brindle wrote:
> > > > Karl MacMillan wrote:
> > > > > The following patch allows semodule to handle a list of modules 
> > > > > for installation (i.e., semodule -i *.pp now works).
> > > > >
> > > > > Signed-off-by: Karl MacMillan <kmacmillan@mentalrootkit.com>
> > > > >
> > > > >   
> > > > Acked-By: Joshua Brindle <jbrindle@tresys.com>
> > > 
> > > Acked-by:  Stephen Smalley <sds@tycho.nsa.gov>
> > > 
> > > This means we can also update the semodule man page to remove the 
> > > gross hack we came up with to workaround the absence of 
> > such support,
> > >        # Replace all modules with the ones in the current directory
> > >        $ semodule -b base.pp 'semodule -l | awk '{print "-i " $1 
> > > ".pp"}''
> > 
> > BTW, any reason we wouldn't support the same thing for -u or -r?
> > 
> 
> -r wouldn't work well because it wants the name of the module (eg.,
> apache) instead of the filename (apache.pp)

Still useful for e.g. removing a list of modules specified in a file,
ala semodule -r `cat killlist`

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH] allow semodule -i to accept list of modules

[Stephen Smalley]

On Tue, 2007-01-09 at 16:52 -0500, Karl MacMillan wrote:
> On Tue, 2007-01-09 at 15:43 -0500, Stephen Smalley wrote:
> > On Tue, 2007-01-09 at 15:17 -0500, Stephen Smalley wrote:
> > > On Tue, 2007-01-09 at 11:17 -0500, Joshua Brindle wrote:
> > > > Karl MacMillan wrote:
> > > > > The following patch allows semodule to handle a list of modules for
> > > > > installation (i.e., semodule -i *.pp now works).
> > > > >
> > > > > Signed-off-by: Karl MacMillan <kmacmillan@mentalrootkit.com>
> > > > >
> > > > >   
> > > > Acked-By: Joshua Brindle <jbrindle@tresys.com>
> > > 
> > > Acked-by:  Stephen Smalley <sds@tycho.nsa.gov>
> > > 
> > > This means we can also update the semodule man page to remove the gross
> > > hack we came up with to workaround the absence of such support,
> > >        # Replace all modules with the ones in the current directory
> > >        $ semodule -b base.pp ‘semodule -l | awk ’{print "-i " $1
> > > ".pp"}’‘
> > 
> > BTW, any reason we wouldn't support the same thing for -u or -r?
> > 
> 
> Patch below. It is less useful for -r, but still potentially easier. As
> for the man page, that is updated but the command for updating
> from /usr/share/selinux/policyname still sucks. I came up with:
> 
> ls *.pp | grep -Ev "base.pp|enableaudit.pp" | xargs /usr/sbin/semodule
> -i

That has a different effect.  The original command replaces the base
module and any already installed module (semodule -l output) with ones
from the current directory as a single transaction without installing
any new modules, while your command would replace any non-base modules
and install any new ones, without updating the base module (which could
very well fail due to dependencies on the base).  Both actually seem
wrong to me - we do want to install all of the non-base modules from the
directory as per your command but we need to include the base in the
same transaction.

> Gets rid of awk (so it is potentially easier for many), but it is
> longer. At some point someone should make semodule just do the right
> thing for a mixed list of modules and base modules. Of course, even that
> wouldn't work for the /usr/share/selinux directories because of
> enableaudit, so I give up.
> 
> Signed-off-by: Karl MacMillan <kmacmillan@mentalrootkit.com>
> 
> diff -r a70fbd24a437 policycoreutils/semodule/semodule.8
> --- a/policycoreutils/semodule/semodule.8	Tue Jan 09 16:21:10 2007 -0500
> +++ b/policycoreutils/semodule/semodule.8	Tue Jan 09 16:46:35 2007 -0500
> @@ -59,7 +59,10 @@ be verbose
>  # List non-base modules.
>  $ semodule -l
>  # Replace all modules with the ones in the current directory
> -$ semodule -b base.pp `semodule -l | awk '{print "-i " $1 ".pp"}'`
> +$ semodule -i *.pp
> +# Replace all modules with the ones in the current directory
> +# excluding base.pp and enableaudit.pp
> +$ ls *.pp | grep -Ev "base.pp|enableaudit.pp" | xargs /usr/sbin/semodule -i
>  .fi
>  
>  .SH SEE ALSO
> diff -r a70fbd24a437 policycoreutils/semodule/semodule.c
> --- a/policycoreutils/semodule/semodule.c	Tue Jan 09 16:21:10 2007 -0500
> +++ b/policycoreutils/semodule/semodule.c	Tue Jan 09 16:46:35 2007 -0500
> @@ -238,13 +238,17 @@ static void parse_command_line(int argc,
>  	}
>  
>  	if (optind < argc) {
> -		/* if -i was the last command treat any remaining
> -		 * arguments as modules to allow 'semodule -i *.pp' to
> +		int mode;
> +		/* if -i/u/r was the last command treat any remaining
> +		 * arguments as args. Will allow 'semodule -i *.pp' to
>  		 * work as expected.
>  		 */
>  		if (commands[num_commands - 1].mode == INSTALL_M) {
> -			while (optind < argc)
> -				set_mode(INSTALL_M, argv[optind++]);
> +			mode = INSTALL_M;
> +		} else if (commands[num_commands - 1].mode == UPGRADE_M) {
> +			mode = UPGRADE_M;
> +		} else if (commands[num_commands - 1].mode == REMOVE_M) {
> +			mode = REMOVE_M;
>  		} else {
>  			fprintf(stderr, "unknown additional arguments:\n");
>  			while (optind < argc)
> @@ -253,6 +257,8 @@ static void parse_command_line(int argc,
>  			usage(argv[0]);
>  			exit(1);
>  		}
> +		while (optind < argc)
> +			set_mode(mode, argv[optind++]);
>  	}
>  }
>  
> 
> 
-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH] allow semodule -i to accept list of modules

[Stephen Smalley]

On Wed, 2007-01-10 at 08:46 -0500, Stephen Smalley wrote:
> On Tue, 2007-01-09 at 16:52 -0500, Karl MacMillan wrote:
> > On Tue, 2007-01-09 at 15:43 -0500, Stephen Smalley wrote:
> > > On Tue, 2007-01-09 at 15:17 -0500, Stephen Smalley wrote:
> > > > On Tue, 2007-01-09 at 11:17 -0500, Joshua Brindle wrote:
> > > > > Karl MacMillan wrote:
> > > > > > The following patch allows semodule to handle a list of modules for
> > > > > > installation (i.e., semodule -i *.pp now works).
> > > > > >
> > > > > > Signed-off-by: Karl MacMillan <kmacmillan@mentalrootkit.com>
> > > > > >
> > > > > >   
> > > > > Acked-By: Joshua Brindle <jbrindle@tresys.com>
> > > > 
> > > > Acked-by:  Stephen Smalley <sds@tycho.nsa.gov>
> > > > 
> > > > This means we can also update the semodule man page to remove the gross
> > > > hack we came up with to workaround the absence of such support,
> > > >        # Replace all modules with the ones in the current directory
> > > >        $ semodule -b base.pp ‘semodule -l | awk ’{print "-i " $1
> > > > ".pp"}’‘
> > > 
> > > BTW, any reason we wouldn't support the same thing for -u or -r?
> > > 
> > 
> > Patch below. It is less useful for -r, but still potentially easier. As
> > for the man page, that is updated but the command for updating
> > from /usr/share/selinux/policyname still sucks. I came up with:
> > 
> > ls *.pp | grep -Ev "base.pp|enableaudit.pp" | xargs /usr/sbin/semodule
> > -i
> 
> That has a different effect.  The original command replaces the base
> module and any already installed module (semodule -l output) with ones
> from the current directory as a single transaction without installing
> any new modules, while your command would replace any non-base modules
> and install any new ones, without updating the base module (which could
> very well fail due to dependencies on the base).  Both actually seem
> wrong to me - we do want to install all of the non-base modules from the
> directory as per your command but we need to include the base in the
> same transaction.
> 
> > Gets rid of awk (so it is potentially easier for many), but it is
> > longer. At some point someone should make semodule just do the right
> > thing for a mixed list of modules and base modules. Of course, even that
> > wouldn't work for the /usr/share/selinux directories because of
> > enableaudit, so I give up.
> > 
> > Signed-off-by: Karl MacMillan <kmacmillan@mentalrootkit.com>
> > 
> > diff -r a70fbd24a437 policycoreutils/semodule/semodule.8
> > --- a/policycoreutils/semodule/semodule.8	Tue Jan 09 16:21:10 2007 -0500
> > +++ b/policycoreutils/semodule/semodule.8	Tue Jan 09 16:46:35 2007 -0500
> > @@ -59,7 +59,10 @@ be verbose
> >  # List non-base modules.
> >  $ semodule -l
> >  # Replace all modules with the ones in the current directory
> > -$ semodule -b base.pp `semodule -l | awk '{print "-i " $1 ".pp"}'`
> > +$ semodule -i *.pp
> > +# Replace all modules with the ones in the current directory
> > +# excluding base.pp and enableaudit.pp
> > +$ ls *.pp | grep -Ev "base.pp|enableaudit.pp" | xargs /usr/sbin/semodule -i
> >  .fi
> >  
> >  .SH SEE ALSO
> > diff -r a70fbd24a437 policycoreutils/semodule/semodule.c
> > --- a/policycoreutils/semodule/semodule.c	Tue Jan 09 16:21:10 2007 -0500
> > +++ b/policycoreutils/semodule/semodule.c	Tue Jan 09 16:46:35 2007 -0500
> > @@ -238,13 +238,17 @@ static void parse_command_line(int argc,
> >  	}
> >  
> >  	if (optind < argc) {
> > -		/* if -i was the last command treat any remaining
> > -		 * arguments as modules to allow 'semodule -i *.pp' to
> > +		int mode;
> > +		/* if -i/u/r was the last command treat any remaining
> > +		 * arguments as args. Will allow 'semodule -i *.pp' to
> >  		 * work as expected.
> >  		 */
> >  		if (commands[num_commands - 1].mode == INSTALL_M) {
> > -			while (optind < argc)
> > -				set_mode(INSTALL_M, argv[optind++]);
> > +			mode = INSTALL_M;
> > +		} else if (commands[num_commands - 1].mode == UPGRADE_M) {
> > +			mode = UPGRADE_M;
> > +		} else if (commands[num_commands - 1].mode == REMOVE_M) {
> > +			mode = REMOVE_M;
> >  		} else {
> >  			fprintf(stderr, "unknown additional arguments:\n");
> >  			while (optind < argc)
> > @@ -253,6 +257,8 @@ static void parse_command_line(int argc,
> >  			usage(argv[0]);
> >  			exit(1);
> >  		}
> > +		while (optind < argc)
> > +			set_mode(mode, argv[optind++]);
> >  	}
> >  }
> >  

Merged with some changes to the man page in policycoreutils 1.33.12.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.