[PATCH 1/2] libsemanage: add semanage_handle_create_with_path

[PATCH 1/2] libsemanage: add semanage_handle_create_with_path

[Tristan Ross]

---
 libsemanage/include/semanage/handle.h |  6 +++++-
 libsemanage/src/handle.c              | 26 +++++++++++++++++++-------
 libsemanage/src/libsemanage.map       |  1 +
 3 files changed, 25 insertions(+), 8 deletions(-)

diff --git a/libsemanage/include/semanage/handle.h b/libsemanage/include/semanage/handle.h
index a5ea31de..601cd9ee 100644
--- a/libsemanage/include/semanage/handle.h
+++ b/libsemanage/include/semanage/handle.h
@@ -30,7 +30,11 @@
 struct semanage_handle;
 typedef struct semanage_handle semanage_handle_t;
 
-/* Create and return a semanage handle.
+/* Create and return a semanage handle with a specific config path.
+   The handle is initially in the disconnected state. */
+semanage_handle_t *semanage_handle_create_with_path(const char *conf_name);
+
+/* Create and return a semanage handle with the default config path.
    The handle is initially in the disconnected state. */
 extern semanage_handle_t *semanage_handle_create(void);
 
diff --git a/libsemanage/src/handle.c b/libsemanage/src/handle.c
index faea0606..ca57702a 100644
--- a/libsemanage/src/handle.c
+++ b/libsemanage/src/handle.c
@@ -59,19 +59,14 @@ const char * semanage_root(void)
 	return private_semanage_root;
 }
 
-
-semanage_handle_t *semanage_handle_create(void)
+semanage_handle_t *semanage_handle_create_with_path(const char *conf_name)
 {
 	semanage_handle_t *sh = NULL;
-	char *conf_name = NULL;
 
 	/* Allocate handle */
 	if ((sh = calloc(1, sizeof(semanage_handle_t))) == NULL)
 		goto err;
 
-	if ((conf_name = semanage_conf_path()) == NULL)
-		goto err;
-
 	if ((sh->conf = semanage_conf_parse(conf_name)) == NULL)
 		goto err;
 
@@ -106,13 +101,30 @@ semanage_handle_t *semanage_handle_create(void)
 	sh->msg_callback = semanage_msg_default_handler;
 	sh->msg_callback_arg = NULL;
 
+	return sh;
+
+      err:
+	semanage_handle_destroy(sh);
+	return NULL;
+}
+
+semanage_handle_t *semanage_handle_create(void)
+{
+	semanage_handle_t *sh = NULL;
+	char *conf_name = NULL;
+
+	if ((conf_name = semanage_conf_path()) == NULL)
+		goto err;
+
+	if ((sh = semanage_handle_create_with_path(conf_name)) == NULL)
+		goto err;
+
 	free(conf_name);
 
 	return sh;
 
       err:
 	free(conf_name);
-	semanage_handle_destroy(sh);
 	return NULL;
 }
 
diff --git a/libsemanage/src/libsemanage.map b/libsemanage/src/libsemanage.map
index c8214b26..02c615ac 100644
--- a/libsemanage/src/libsemanage.map
+++ b/libsemanage/src/libsemanage.map
@@ -347,6 +347,7 @@ LIBSEMANAGE_1.1 {
 } LIBSEMANAGE_1.0;
 
 LIBSEMANAGE_3.4 {
+    semanage_handle_create_with_path;
     semanage_module_compute_checksum;
     semanage_set_check_ext_changes;
 } LIBSEMANAGE_1.1;
-- 
2.47.2

[PATCH 2/2] semodule: add config argument

[Tristan Ross]

---
 policycoreutils/semodule/semodule.c | 21 ++++++++++++++++-----
 1 file changed, 16 insertions(+), 5 deletions(-)

diff --git a/policycoreutils/semodule/semodule.c b/policycoreutils/semodule/semodule.c
index ebe062bf..274cdbd9 100644
--- a/policycoreutils/semodule/semodule.c
+++ b/policycoreutils/semodule/semodule.c
@@ -145,6 +145,7 @@ static void usage(char *progname)
 	printf("  -v,--verbose     be verbose\n");
 	printf("  -P,--preserve_tunables	Preserve tunables in policy\n");
 	printf("  -C,--ignore-module-cache	Rebuild CIL modules compiled from HLL files\n");
+	printf("  -o,--config=PATH use an alternate path for the semanage config\n");
 	printf("  -p,--path        use an alternate path for the policy root\n");
 	printf("  -S,--store-path  use an alternate path for the policy store root\n");
 	printf("  -c, --cil extract module as cil. This only affects module extraction.\n");
@@ -223,7 +224,7 @@ static void parse_command_line(int argc, char **argv)
 	check_ext_changes = 0;
 	priority = 400;
 	while ((i =
-		getopt_long(argc, argv, "s:b:hi:l::vr:u:RnNBDCPX:e:d:p:S:E:cHm",
+		getopt_long(argc, argv, "s:b:hi:l::vr:u:RnNBDCPX:e:d:p:o:S:E:cHm",
 			    opts, &longind)) != -1) {
 		switch (i) {
 		case '\0':
@@ -304,6 +305,14 @@ static void parse_command_line(int argc, char **argv)
 		case 'C':
 			ignore_module_cache = 1;
 			break;
+		case 'o':
+			sh = semanage_handle_create_with_path(optarg);
+			if (!sh) {
+				fprintf(stderr, "%s:  Could not create semanage handle\n",
+					argv[0]);
+				exit(1);
+			}
+			break;
 		case 'X':
 			set_mode(PRIORITY_M, optarg);
 			break;
@@ -421,11 +430,13 @@ int main(int argc, char *argv[])
 	if (build || check_ext_changes)
 		commit = 1;
 
-	sh = semanage_handle_create();
 	if (!sh) {
-		fprintf(stderr, "%s:  Could not create semanage handle\n",
-			argv[0]);
-		goto cleanup_nohandle;
+		sh = semanage_handle_create();
+		if (!sh) {
+			fprintf(stderr, "%s:  Could not create semanage handle\n",
+				argv[0]);
+			goto cleanup_nohandle;
+		}
 	}
 
 	if (store) {
-- 
2.47.2

Re: [PATCH 1/2] libsemanage: add semanage_handle_create_with_path

[Christian Göttsche]

On Fri, 11 Apr 2025 at 21:01, Tristan Ross <tristan.ross@midstall.com> wrote:
>
> ---
>  libsemanage/include/semanage/handle.h |  6 +++++-
>  libsemanage/src/handle.c              | 26 +++++++++++++++++++-------
>  libsemanage/src/libsemanage.map       |  1 +
>  3 files changed, 25 insertions(+), 8 deletions(-)
>
> diff --git a/libsemanage/include/semanage/handle.h b/libsemanage/include/semanage/handle.h
> index a5ea31de..601cd9ee 100644
> --- a/libsemanage/include/semanage/handle.h
> +++ b/libsemanage/include/semanage/handle.h
> @@ -30,7 +30,11 @@
>  struct semanage_handle;
>  typedef struct semanage_handle semanage_handle_t;
>
> -/* Create and return a semanage handle.
> +/* Create and return a semanage handle with a specific config path.
> +   The handle is initially in the disconnected state. */
> +semanage_handle_t *semanage_handle_create_with_path(const char *conf_name);
> +
> +/* Create and return a semanage handle with the default config path.
>     The handle is initially in the disconnected state. */
>  extern semanage_handle_t *semanage_handle_create(void);
>
> diff --git a/libsemanage/src/handle.c b/libsemanage/src/handle.c
> index faea0606..ca57702a 100644
> --- a/libsemanage/src/handle.c
> +++ b/libsemanage/src/handle.c
> @@ -59,19 +59,14 @@ const char * semanage_root(void)
>         return private_semanage_root;
>  }
>
> -
> -semanage_handle_t *semanage_handle_create(void)
> +semanage_handle_t *semanage_handle_create_with_path(const char *conf_name)
>  {
>         semanage_handle_t *sh = NULL;
> -       char *conf_name = NULL;
>
>         /* Allocate handle */
>         if ((sh = calloc(1, sizeof(semanage_handle_t))) == NULL)
>                 goto err;
>
> -       if ((conf_name = semanage_conf_path()) == NULL)
> -               goto err;
> -
>         if ((sh->conf = semanage_conf_parse(conf_name)) == NULL)
>                 goto err;
>
> @@ -106,13 +101,30 @@ semanage_handle_t *semanage_handle_create(void)
>         sh->msg_callback = semanage_msg_default_handler;
>         sh->msg_callback_arg = NULL;
>
> +       return sh;
> +
> +      err:
> +       semanage_handle_destroy(sh);
> +       return NULL;
> +}
> +
> +semanage_handle_t *semanage_handle_create(void)
> +{
> +       semanage_handle_t *sh = NULL;
> +       char *conf_name = NULL;
> +
> +       if ((conf_name = semanage_conf_path()) == NULL)
> +               goto err;
> +
> +       if ((sh = semanage_handle_create_with_path(conf_name)) == NULL)
> +               goto err;
> +
>         free(conf_name);
>
>         return sh;
>
>        err:
>         free(conf_name);
> -       semanage_handle_destroy(sh);
>         return NULL;
>  }
>
> diff --git a/libsemanage/src/libsemanage.map b/libsemanage/src/libsemanage.map
> index c8214b26..02c615ac 100644
> --- a/libsemanage/src/libsemanage.map
> +++ b/libsemanage/src/libsemanage.map
> @@ -347,6 +347,7 @@ LIBSEMANAGE_1.1 {
>  } LIBSEMANAGE_1.0;
>
>  LIBSEMANAGE_3.4 {
> +    semanage_handle_create_with_path;

This should be placed in a new soname section.

>      semanage_module_compute_checksum;
>      semanage_set_check_ext_changes;
>  } LIBSEMANAGE_1.1;
> --
> 2.47.2
>
>

[PATCH 1/2] libsemanage: add semanage_handle_create_with_path

[Tristan Ross]

---
 libsemanage/include/semanage/handle.h |  6 +++++-
 libsemanage/src/handle.c              | 26 +++++++++++++++++++-------
 libsemanage/src/libsemanage.map       |  4 ++++
 3 files changed, 28 insertions(+), 8 deletions(-)

diff --git a/libsemanage/include/semanage/handle.h b/libsemanage/include/semanage/handle.h
index a5ea31de..601cd9ee 100644
--- a/libsemanage/include/semanage/handle.h
+++ b/libsemanage/include/semanage/handle.h
@@ -30,7 +30,11 @@
 struct semanage_handle;
 typedef struct semanage_handle semanage_handle_t;
 
-/* Create and return a semanage handle.
+/* Create and return a semanage handle with a specific config path.
+   The handle is initially in the disconnected state. */
+semanage_handle_t *semanage_handle_create_with_path(const char *conf_name);
+
+/* Create and return a semanage handle with the default config path.
    The handle is initially in the disconnected state. */
 extern semanage_handle_t *semanage_handle_create(void);
 
diff --git a/libsemanage/src/handle.c b/libsemanage/src/handle.c
index faea0606..ca57702a 100644
--- a/libsemanage/src/handle.c
+++ b/libsemanage/src/handle.c
@@ -59,19 +59,14 @@ const char * semanage_root(void)
 	return private_semanage_root;
 }
 
-
-semanage_handle_t *semanage_handle_create(void)
+semanage_handle_t *semanage_handle_create_with_path(const char *conf_name)
 {
 	semanage_handle_t *sh = NULL;
-	char *conf_name = NULL;
 
 	/* Allocate handle */
 	if ((sh = calloc(1, sizeof(semanage_handle_t))) == NULL)
 		goto err;
 
-	if ((conf_name = semanage_conf_path()) == NULL)
-		goto err;
-
 	if ((sh->conf = semanage_conf_parse(conf_name)) == NULL)
 		goto err;
 
@@ -106,13 +101,30 @@ semanage_handle_t *semanage_handle_create(void)
 	sh->msg_callback = semanage_msg_default_handler;
 	sh->msg_callback_arg = NULL;
 
+	return sh;
+
+      err:
+	semanage_handle_destroy(sh);
+	return NULL;
+}
+
+semanage_handle_t *semanage_handle_create(void)
+{
+	semanage_handle_t *sh = NULL;
+	char *conf_name = NULL;
+
+	if ((conf_name = semanage_conf_path()) == NULL)
+		goto err;
+
+	if ((sh = semanage_handle_create_with_path(conf_name)) == NULL)
+		goto err;
+
 	free(conf_name);
 
 	return sh;
 
       err:
 	free(conf_name);
-	semanage_handle_destroy(sh);
 	return NULL;
 }
 
diff --git a/libsemanage/src/libsemanage.map b/libsemanage/src/libsemanage.map
index c8214b26..5dab7bf7 100644
--- a/libsemanage/src/libsemanage.map
+++ b/libsemanage/src/libsemanage.map
@@ -350,3 +350,7 @@ LIBSEMANAGE_3.4 {
     semanage_module_compute_checksum;
     semanage_set_check_ext_changes;
 } LIBSEMANAGE_1.1;
+
+LIBSEMANAGE_3.5 {
+    semanage_handle_create_with_path;
+} LIBSEMANAGE_3.4;
-- 
2.47.2

Re: [PATCH 1/2] libsemanage: add semanage_handle_create_with_path

[James Carter]

On Wed, Apr 16, 2025 at 12:50 AM Tristan Ross <tristan.ross@midstall.com> wrote:
>

Along with a "Signed-off-by" tag, both of these patches need a commit
log that describes what they do and why they were created.
Thanks,
Jim

> ---
>  libsemanage/include/semanage/handle.h |  6 +++++-
>  libsemanage/src/handle.c              | 26 +++++++++++++++++++-------
>  libsemanage/src/libsemanage.map       |  4 ++++
>  3 files changed, 28 insertions(+), 8 deletions(-)
>
> diff --git a/libsemanage/include/semanage/handle.h b/libsemanage/include/semanage/handle.h
> index a5ea31de..601cd9ee 100644
> --- a/libsemanage/include/semanage/handle.h
> +++ b/libsemanage/include/semanage/handle.h
> @@ -30,7 +30,11 @@
>  struct semanage_handle;
>  typedef struct semanage_handle semanage_handle_t;
>
> -/* Create and return a semanage handle.
> +/* Create and return a semanage handle with a specific config path.
> +   The handle is initially in the disconnected state. */
> +semanage_handle_t *semanage_handle_create_with_path(const char *conf_name);
> +
> +/* Create and return a semanage handle with the default config path.
>     The handle is initially in the disconnected state. */
>  extern semanage_handle_t *semanage_handle_create(void);
>
> diff --git a/libsemanage/src/handle.c b/libsemanage/src/handle.c
> index faea0606..ca57702a 100644
> --- a/libsemanage/src/handle.c
> +++ b/libsemanage/src/handle.c
> @@ -59,19 +59,14 @@ const char * semanage_root(void)
>         return private_semanage_root;
>  }
>
> -
> -semanage_handle_t *semanage_handle_create(void)
> +semanage_handle_t *semanage_handle_create_with_path(const char *conf_name)
>  {
>         semanage_handle_t *sh = NULL;
> -       char *conf_name = NULL;
>
>         /* Allocate handle */
>         if ((sh = calloc(1, sizeof(semanage_handle_t))) == NULL)
>                 goto err;
>
> -       if ((conf_name = semanage_conf_path()) == NULL)
> -               goto err;
> -
>         if ((sh->conf = semanage_conf_parse(conf_name)) == NULL)
>                 goto err;
>
> @@ -106,13 +101,30 @@ semanage_handle_t *semanage_handle_create(void)
>         sh->msg_callback = semanage_msg_default_handler;
>         sh->msg_callback_arg = NULL;
>
> +       return sh;
> +
> +      err:
> +       semanage_handle_destroy(sh);
> +       return NULL;
> +}
> +
> +semanage_handle_t *semanage_handle_create(void)
> +{
> +       semanage_handle_t *sh = NULL;
> +       char *conf_name = NULL;
> +
> +       if ((conf_name = semanage_conf_path()) == NULL)
> +               goto err;
> +
> +       if ((sh = semanage_handle_create_with_path(conf_name)) == NULL)
> +               goto err;
> +
>         free(conf_name);
>
>         return sh;
>
>        err:
>         free(conf_name);
> -       semanage_handle_destroy(sh);
>         return NULL;
>  }
>
> diff --git a/libsemanage/src/libsemanage.map b/libsemanage/src/libsemanage.map
> index c8214b26..5dab7bf7 100644
> --- a/libsemanage/src/libsemanage.map
> +++ b/libsemanage/src/libsemanage.map
> @@ -350,3 +350,7 @@ LIBSEMANAGE_3.4 {
>      semanage_module_compute_checksum;
>      semanage_set_check_ext_changes;
>  } LIBSEMANAGE_1.1;
> +
> +LIBSEMANAGE_3.5 {
> +    semanage_handle_create_with_path;
> +} LIBSEMANAGE_3.4;
> --
> 2.47.2
>
>

Re: [PATCH 1/2] libsemanage: add semanage_handle_create_with_path

[Petr Lautrbach]

Tristan Ross <tristan.ross@midstall.com> writes:

> ---
>  libsemanage/include/semanage/handle.h |  6 +++++-
>  libsemanage/src/handle.c              | 26 +++++++++++++++++++-------
>  libsemanage/src/libsemanage.map       |  4 ++++
>  3 files changed, 28 insertions(+), 8 deletions(-)
>
> diff --git a/libsemanage/include/semanage/handle.h b/libsemanage/include/semanage/handle.h
> index a5ea31de..601cd9ee 100644
> --- a/libsemanage/include/semanage/handle.h
> +++ b/libsemanage/include/semanage/handle.h
> @@ -30,7 +30,11 @@
>  struct semanage_handle;
>  typedef struct semanage_handle semanage_handle_t;
>  
> -/* Create and return a semanage handle.
> +/* Create and return a semanage handle with a specific config path.
> +   The handle is initially in the disconnected state. */
> +semanage_handle_t *semanage_handle_create_with_path(const char *conf_name);
> +
> +/* Create and return a semanage handle with the default config path.
>     The handle is initially in the disconnected state. */
>  extern semanage_handle_t *semanage_handle_create(void);
>  
> diff --git a/libsemanage/src/handle.c b/libsemanage/src/handle.c
> index faea0606..ca57702a 100644
> --- a/libsemanage/src/handle.c
> +++ b/libsemanage/src/handle.c
> @@ -59,19 +59,14 @@ const char * semanage_root(void)
>  	return private_semanage_root;
>  }
>  
> -
> -semanage_handle_t *semanage_handle_create(void)
> +semanage_handle_t *semanage_handle_create_with_path(const char *conf_name)
>  {
>  	semanage_handle_t *sh = NULL;
> -	char *conf_name = NULL;
>  
>  	/* Allocate handle */
>  	if ((sh = calloc(1, sizeof(semanage_handle_t))) == NULL)
>  		goto err;
>  
> -	if ((conf_name = semanage_conf_path()) == NULL)
> -		goto err;
> -
>  	if ((sh->conf = semanage_conf_parse(conf_name)) == NULL)
>  		goto err;
>  
> @@ -106,13 +101,30 @@ semanage_handle_t *semanage_handle_create(void)
>  	sh->msg_callback = semanage_msg_default_handler;
>  	sh->msg_callback_arg = NULL;
>  
> +	return sh;
> +
> +      err:
> +	semanage_handle_destroy(sh);
> +	return NULL;
> +}
> +
> +semanage_handle_t *semanage_handle_create(void)
> +{
> +	semanage_handle_t *sh = NULL;
> +	char *conf_name = NULL;
> +
> +	if ((conf_name = semanage_conf_path()) == NULL)
> +		goto err;
> +
> +	if ((sh = semanage_handle_create_with_path(conf_name)) == NULL)
> +		goto err;
> +
>  	free(conf_name);
>  
>  	return sh;
>  
>        err:
>  	free(conf_name);
> -	semanage_handle_destroy(sh);
>  	return NULL;
>  }
>  
> diff --git a/libsemanage/src/libsemanage.map b/libsemanage/src/libsemanage.map
> index c8214b26..5dab7bf7 100644
> --- a/libsemanage/src/libsemanage.map
> +++ b/libsemanage/src/libsemanage.map
> @@ -350,3 +350,7 @@ LIBSEMANAGE_3.4 {
>      semanage_module_compute_checksum;
>      semanage_set_check_ext_changes;
>  } LIBSEMANAGE_1.1;
> +
> +LIBSEMANAGE_3.5 {
> +    semanage_handle_create_with_path;
> +} LIBSEMANAGE_3.4;
>

It will be part of the next 3.9 release therefore this should be

+LIBSEMANAGE_3.9 {
+    semanage_handle_create_with_path;
+} LIBSEMANAGE_3.4;



 -- 
> 2.47.2

[PATCH 1/2] libsemanage: add semanage_handle_create_with_path

[Tristan Ross]

Adds "semanage_handle_create_with_path" to create an semanage handle
with a config file from a specific path. This is useful for baking
SELinux policy generation into a Nix derivation.

Signed-off-by: Tristan Ross <tristan.ross@midstall.com>
---
 libsemanage/include/semanage/handle.h |  6 +++++-
 libsemanage/src/handle.c              | 26 +++++++++++++++++++-------
 libsemanage/src/libsemanage.map       |  4 ++++
 3 files changed, 28 insertions(+), 8 deletions(-)

diff --git a/libsemanage/include/semanage/handle.h b/libsemanage/include/semanage/handle.h
index a5ea31de..601cd9ee 100644
--- a/libsemanage/include/semanage/handle.h
+++ b/libsemanage/include/semanage/handle.h
@@ -30,7 +30,11 @@
 struct semanage_handle;
 typedef struct semanage_handle semanage_handle_t;
 
-/* Create and return a semanage handle.
+/* Create and return a semanage handle with a specific config path.
+   The handle is initially in the disconnected state. */
+semanage_handle_t *semanage_handle_create_with_path(const char *conf_name);
+
+/* Create and return a semanage handle with the default config path.
    The handle is initially in the disconnected state. */
 extern semanage_handle_t *semanage_handle_create(void);
 
diff --git a/libsemanage/src/handle.c b/libsemanage/src/handle.c
index faea0606..ca57702a 100644
--- a/libsemanage/src/handle.c
+++ b/libsemanage/src/handle.c
@@ -59,19 +59,14 @@ const char * semanage_root(void)
 	return private_semanage_root;
 }
 
-
-semanage_handle_t *semanage_handle_create(void)
+semanage_handle_t *semanage_handle_create_with_path(const char *conf_name)
 {
 	semanage_handle_t *sh = NULL;
-	char *conf_name = NULL;
 
 	/* Allocate handle */
 	if ((sh = calloc(1, sizeof(semanage_handle_t))) == NULL)
 		goto err;
 
-	if ((conf_name = semanage_conf_path()) == NULL)
-		goto err;
-
 	if ((sh->conf = semanage_conf_parse(conf_name)) == NULL)
 		goto err;
 
@@ -106,13 +101,30 @@ semanage_handle_t *semanage_handle_create(void)
 	sh->msg_callback = semanage_msg_default_handler;
 	sh->msg_callback_arg = NULL;
 
+	return sh;
+
+      err:
+	semanage_handle_destroy(sh);
+	return NULL;
+}
+
+semanage_handle_t *semanage_handle_create(void)
+{
+	semanage_handle_t *sh = NULL;
+	char *conf_name = NULL;
+
+	if ((conf_name = semanage_conf_path()) == NULL)
+		goto err;
+
+	if ((sh = semanage_handle_create_with_path(conf_name)) == NULL)
+		goto err;
+
 	free(conf_name);
 
 	return sh;
 
       err:
 	free(conf_name);
-	semanage_handle_destroy(sh);
 	return NULL;
 }
 
diff --git a/libsemanage/src/libsemanage.map b/libsemanage/src/libsemanage.map
index c8214b26..5dab7bf7 100644
--- a/libsemanage/src/libsemanage.map
+++ b/libsemanage/src/libsemanage.map
@@ -350,3 +350,7 @@ LIBSEMANAGE_3.4 {
     semanage_module_compute_checksum;
     semanage_set_check_ext_changes;
 } LIBSEMANAGE_1.1;
+
+LIBSEMANAGE_3.5 {
+    semanage_handle_create_with_path;
+} LIBSEMANAGE_3.4;
-- 
2.47.2

[PATCH 2/2] semodule: add config argument

[Tristan Ross]

Use "semanage_handle_create_with_path" and implement a new flag for
handling semanage config files at specific paths.

Signed-off-by: Tristan Ross <tristan.ross@midstall.com>
---
 policycoreutils/semodule/semodule.c | 22 +++++++++++++++++-----
 1 file changed, 17 insertions(+), 5 deletions(-)

diff --git a/policycoreutils/semodule/semodule.c b/policycoreutils/semodule/semodule.c
index ebe062bf..80fd0451 100644
--- a/policycoreutils/semodule/semodule.c
+++ b/policycoreutils/semodule/semodule.c
@@ -145,6 +145,7 @@ static void usage(char *progname)
 	printf("  -v,--verbose     be verbose\n");
 	printf("  -P,--preserve_tunables	Preserve tunables in policy\n");
 	printf("  -C,--ignore-module-cache	Rebuild CIL modules compiled from HLL files\n");
+	printf("  -o,--config=PATH use an alternate path for the semanage config\n");
 	printf("  -p,--path        use an alternate path for the policy root\n");
 	printf("  -S,--store-path  use an alternate path for the policy store root\n");
 	printf("  -c, --cil extract module as cil. This only affects module extraction.\n");
@@ -210,6 +211,7 @@ static void parse_command_line(int argc, char **argv)
 		{"enable", required_argument, NULL, 'e'},
 		{"disable", required_argument, NULL, 'd'},
 		{"path", required_argument, NULL, 'p'},
+		{"config", required_argument, NULL, 'o'},
 		{"store-path", required_argument, NULL, 'S'},
 		{"checksum", 0, NULL, 'm'},
 		{NULL, 0, NULL, 0}
@@ -223,7 +225,7 @@ static void parse_command_line(int argc, char **argv)
 	check_ext_changes = 0;
 	priority = 400;
 	while ((i =
-		getopt_long(argc, argv, "s:b:hi:l::vr:u:RnNBDCPX:e:d:p:S:E:cHm",
+		getopt_long(argc, argv, "s:b:hi:l::vr:u:RnNBDCPX:e:d:p:o:S:E:cHm",
 			    opts, &longind)) != -1) {
 		switch (i) {
 		case '\0':
@@ -304,6 +306,14 @@ static void parse_command_line(int argc, char **argv)
 		case 'C':
 			ignore_module_cache = 1;
 			break;
+		case 'o':
+			sh = semanage_handle_create_with_path(optarg);
+			if (!sh) {
+				fprintf(stderr, "%s:  Could not create semanage handle\n",
+					argv[0]);
+				exit(1);
+			}
+			break;
 		case 'X':
 			set_mode(PRIORITY_M, optarg);
 			break;
@@ -421,11 +431,13 @@ int main(int argc, char *argv[])
 	if (build || check_ext_changes)
 		commit = 1;
 
-	sh = semanage_handle_create();
 	if (!sh) {
-		fprintf(stderr, "%s:  Could not create semanage handle\n",
-			argv[0]);
-		goto cleanup_nohandle;
+		sh = semanage_handle_create();
+		if (!sh) {
+			fprintf(stderr, "%s:  Could not create semanage handle\n",
+				argv[0]);
+			goto cleanup_nohandle;
+		}
 	}
 
 	if (store) {
-- 
2.47.2

[PATCH 1/2] libsemanage: add semanage_handle_create_with_path

[Tristan Ross]

Adds "semanage_handle_create_with_path" to create an semanage handle
with a config file from a specific path. This is useful for baking
SELinux policy generation into a Nix derivation.

Signed-off-by: Tristan Ross <tristan.ross@midstall.com>
---
 libsemanage/include/semanage/handle.h |  6 +++++-
 libsemanage/src/handle.c              | 26 +++++++++++++++++++-------
 libsemanage/src/libsemanage.map       |  4 ++++
 3 files changed, 28 insertions(+), 8 deletions(-)

diff --git a/libsemanage/include/semanage/handle.h b/libsemanage/include/semanage/handle.h
index a5ea31de..601cd9ee 100644
--- a/libsemanage/include/semanage/handle.h
+++ b/libsemanage/include/semanage/handle.h
@@ -30,7 +30,11 @@
 struct semanage_handle;
 typedef struct semanage_handle semanage_handle_t;
 
-/* Create and return a semanage handle.
+/* Create and return a semanage handle with a specific config path.
+   The handle is initially in the disconnected state. */
+semanage_handle_t *semanage_handle_create_with_path(const char *conf_name);
+
+/* Create and return a semanage handle with the default config path.
    The handle is initially in the disconnected state. */
 extern semanage_handle_t *semanage_handle_create(void);
 
diff --git a/libsemanage/src/handle.c b/libsemanage/src/handle.c
index faea0606..ca57702a 100644
--- a/libsemanage/src/handle.c
+++ b/libsemanage/src/handle.c
@@ -59,19 +59,14 @@ const char * semanage_root(void)
 	return private_semanage_root;
 }
 
-
-semanage_handle_t *semanage_handle_create(void)
+semanage_handle_t *semanage_handle_create_with_path(const char *conf_name)
 {
 	semanage_handle_t *sh = NULL;
-	char *conf_name = NULL;
 
 	/* Allocate handle */
 	if ((sh = calloc(1, sizeof(semanage_handle_t))) == NULL)
 		goto err;
 
-	if ((conf_name = semanage_conf_path()) == NULL)
-		goto err;
-
 	if ((sh->conf = semanage_conf_parse(conf_name)) == NULL)
 		goto err;
 
@@ -106,13 +101,30 @@ semanage_handle_t *semanage_handle_create(void)
 	sh->msg_callback = semanage_msg_default_handler;
 	sh->msg_callback_arg = NULL;
 
+	return sh;
+
+      err:
+	semanage_handle_destroy(sh);
+	return NULL;
+}
+
+semanage_handle_t *semanage_handle_create(void)
+{
+	semanage_handle_t *sh = NULL;
+	char *conf_name = NULL;
+
+	if ((conf_name = semanage_conf_path()) == NULL)
+		goto err;
+
+	if ((sh = semanage_handle_create_with_path(conf_name)) == NULL)
+		goto err;
+
 	free(conf_name);
 
 	return sh;
 
       err:
 	free(conf_name);
-	semanage_handle_destroy(sh);
 	return NULL;
 }
 
diff --git a/libsemanage/src/libsemanage.map b/libsemanage/src/libsemanage.map
index c8214b26..8d7d8b05 100644
--- a/libsemanage/src/libsemanage.map
+++ b/libsemanage/src/libsemanage.map
@@ -350,3 +350,7 @@ LIBSEMANAGE_3.4 {
     semanage_module_compute_checksum;
     semanage_set_check_ext_changes;
 } LIBSEMANAGE_1.1;
+
+LIBSEMANAGE_3.9 {
+    semanage_handle_create_with_path;
+} LIBSEMANAGE_3.4;
-- 
2.47.2

[PATCH 2/2] semodule: add config argument

[Tristan Ross]

Use "semanage_handle_create_with_path" and implement a new flag for
handling semanage config files at specific paths.

Signed-off-by: Tristan Ross <tristan.ross@midstall.com>
---
 policycoreutils/semodule/semodule.c | 22 +++++++++++++++++-----
 1 file changed, 17 insertions(+), 5 deletions(-)

diff --git a/policycoreutils/semodule/semodule.c b/policycoreutils/semodule/semodule.c
index ebe062bf..80fd0451 100644
--- a/policycoreutils/semodule/semodule.c
+++ b/policycoreutils/semodule/semodule.c
@@ -145,6 +145,7 @@ static void usage(char *progname)
 	printf("  -v,--verbose     be verbose\n");
 	printf("  -P,--preserve_tunables	Preserve tunables in policy\n");
 	printf("  -C,--ignore-module-cache	Rebuild CIL modules compiled from HLL files\n");
+	printf("  -o,--config=PATH use an alternate path for the semanage config\n");
 	printf("  -p,--path        use an alternate path for the policy root\n");
 	printf("  -S,--store-path  use an alternate path for the policy store root\n");
 	printf("  -c, --cil extract module as cil. This only affects module extraction.\n");
@@ -210,6 +211,7 @@ static void parse_command_line(int argc, char **argv)
 		{"enable", required_argument, NULL, 'e'},
 		{"disable", required_argument, NULL, 'd'},
 		{"path", required_argument, NULL, 'p'},
+		{"config", required_argument, NULL, 'o'},
 		{"store-path", required_argument, NULL, 'S'},
 		{"checksum", 0, NULL, 'm'},
 		{NULL, 0, NULL, 0}
@@ -223,7 +225,7 @@ static void parse_command_line(int argc, char **argv)
 	check_ext_changes = 0;
 	priority = 400;
 	while ((i =
-		getopt_long(argc, argv, "s:b:hi:l::vr:u:RnNBDCPX:e:d:p:S:E:cHm",
+		getopt_long(argc, argv, "s:b:hi:l::vr:u:RnNBDCPX:e:d:p:o:S:E:cHm",
 			    opts, &longind)) != -1) {
 		switch (i) {
 		case '\0':
@@ -304,6 +306,14 @@ static void parse_command_line(int argc, char **argv)
 		case 'C':
 			ignore_module_cache = 1;
 			break;
+		case 'o':
+			sh = semanage_handle_create_with_path(optarg);
+			if (!sh) {
+				fprintf(stderr, "%s:  Could not create semanage handle\n",
+					argv[0]);
+				exit(1);
+			}
+			break;
 		case 'X':
 			set_mode(PRIORITY_M, optarg);
 			break;
@@ -421,11 +431,13 @@ int main(int argc, char *argv[])
 	if (build || check_ext_changes)
 		commit = 1;
 
-	sh = semanage_handle_create();
 	if (!sh) {
-		fprintf(stderr, "%s:  Could not create semanage handle\n",
-			argv[0]);
-		goto cleanup_nohandle;
+		sh = semanage_handle_create();
+		if (!sh) {
+			fprintf(stderr, "%s:  Could not create semanage handle\n",
+				argv[0]);
+			goto cleanup_nohandle;
+		}
 	}
 
 	if (store) {
-- 
2.47.2

Re: [PATCH 2/2] semodule: add config argument

[James Carter]

On Fri, Apr 18, 2025 at 2:13 PM Tristan Ross <tristan.ross@midstall.com> wrote:
>
> Use "semanage_handle_create_with_path" and implement a new flag for
> handling semanage config files at specific paths.
>
> Signed-off-by: Tristan Ross <tristan.ross@midstall.com>
> ---
>  policycoreutils/semodule/semodule.c | 22 +++++++++++++++++-----
>  1 file changed, 17 insertions(+), 5 deletions(-)
>
> diff --git a/policycoreutils/semodule/semodule.c b/policycoreutils/semodule/semodule.c
> index ebe062bf..80fd0451 100644
> --- a/policycoreutils/semodule/semodule.c
> +++ b/policycoreutils/semodule/semodule.c
> @@ -145,6 +145,7 @@ static void usage(char *progname)
>         printf("  -v,--verbose     be verbose\n");
>         printf("  -P,--preserve_tunables        Preserve tunables in policy\n");
>         printf("  -C,--ignore-module-cache      Rebuild CIL modules compiled from HLL files\n");
> +       printf("  -o,--config=PATH use an alternate path for the semanage config\n");

I know that all of the obvious letters have already been used, but I
really don't want to use "o" for this.
I think I would prefer "g" to be used.

Also, the man page needs to be updated as well.

Functionally, everything looks good to me.

Thanks,
Jim

>         printf("  -p,--path        use an alternate path for the policy root\n");
>         printf("  -S,--store-path  use an alternate path for the policy store root\n");
>         printf("  -c, --cil extract module as cil. This only affects module extraction.\n");
> @@ -210,6 +211,7 @@ static void parse_command_line(int argc, char **argv)
>                 {"enable", required_argument, NULL, 'e'},
>                 {"disable", required_argument, NULL, 'd'},
>                 {"path", required_argument, NULL, 'p'},
> +               {"config", required_argument, NULL, 'o'},
>                 {"store-path", required_argument, NULL, 'S'},
>                 {"checksum", 0, NULL, 'm'},
>                 {NULL, 0, NULL, 0}
> @@ -223,7 +225,7 @@ static void parse_command_line(int argc, char **argv)
>         check_ext_changes = 0;
>         priority = 400;
>         while ((i =
> -               getopt_long(argc, argv, "s:b:hi:l::vr:u:RnNBDCPX:e:d:p:S:E:cHm",
> +               getopt_long(argc, argv, "s:b:hi:l::vr:u:RnNBDCPX:e:d:p:o:S:E:cHm",
>                             opts, &longind)) != -1) {
>                 switch (i) {
>                 case '\0':
> @@ -304,6 +306,14 @@ static void parse_command_line(int argc, char **argv)
>                 case 'C':
>                         ignore_module_cache = 1;
>                         break;
> +               case 'o':
> +                       sh = semanage_handle_create_with_path(optarg);
> +                       if (!sh) {
> +                               fprintf(stderr, "%s:  Could not create semanage handle\n",
> +                                       argv[0]);
> +                               exit(1);
> +                       }
> +                       break;
>                 case 'X':
>                         set_mode(PRIORITY_M, optarg);
>                         break;
> @@ -421,11 +431,13 @@ int main(int argc, char *argv[])
>         if (build || check_ext_changes)
>                 commit = 1;
>
> -       sh = semanage_handle_create();
>         if (!sh) {
> -               fprintf(stderr, "%s:  Could not create semanage handle\n",
> -                       argv[0]);
> -               goto cleanup_nohandle;
> +               sh = semanage_handle_create();
> +               if (!sh) {
> +                       fprintf(stderr, "%s:  Could not create semanage handle\n",
> +                               argv[0]);
> +                       goto cleanup_nohandle;
> +               }
>         }
>
>         if (store) {
> --
> 2.47.2
>
>

[PATCH 1/2] libsemanage: add semanage_handle_create_with_path

[Tristan Ross]

Adds "semanage_handle_create_with_path" to create an semanage handle
with a config file from a specific path. This is useful for baking
SELinux policy generation into a Nix derivation.

Signed-off-by: Tristan Ross <tristan.ross@midstall.com>
---
 libsemanage/include/semanage/handle.h |  6 +++++-
 libsemanage/src/handle.c              | 26 +++++++++++++++++++-------
 libsemanage/src/libsemanage.map       |  4 ++++
 3 files changed, 28 insertions(+), 8 deletions(-)

diff --git a/libsemanage/include/semanage/handle.h b/libsemanage/include/semanage/handle.h
index a5ea31de..601cd9ee 100644
--- a/libsemanage/include/semanage/handle.h
+++ b/libsemanage/include/semanage/handle.h
@@ -30,7 +30,11 @@
 struct semanage_handle;
 typedef struct semanage_handle semanage_handle_t;
 
-/* Create and return a semanage handle.
+/* Create and return a semanage handle with a specific config path.
+   The handle is initially in the disconnected state. */
+semanage_handle_t *semanage_handle_create_with_path(const char *conf_name);
+
+/* Create and return a semanage handle with the default config path.
    The handle is initially in the disconnected state. */
 extern semanage_handle_t *semanage_handle_create(void);
 
diff --git a/libsemanage/src/handle.c b/libsemanage/src/handle.c
index faea0606..ca57702a 100644
--- a/libsemanage/src/handle.c
+++ b/libsemanage/src/handle.c
@@ -59,19 +59,14 @@ const char * semanage_root(void)
 	return private_semanage_root;
 }
 
-
-semanage_handle_t *semanage_handle_create(void)
+semanage_handle_t *semanage_handle_create_with_path(const char *conf_name)
 {
 	semanage_handle_t *sh = NULL;
-	char *conf_name = NULL;
 
 	/* Allocate handle */
 	if ((sh = calloc(1, sizeof(semanage_handle_t))) == NULL)
 		goto err;
 
-	if ((conf_name = semanage_conf_path()) == NULL)
-		goto err;
-
 	if ((sh->conf = semanage_conf_parse(conf_name)) == NULL)
 		goto err;
 
@@ -106,13 +101,30 @@ semanage_handle_t *semanage_handle_create(void)
 	sh->msg_callback = semanage_msg_default_handler;
 	sh->msg_callback_arg = NULL;
 
+	return sh;
+
+      err:
+	semanage_handle_destroy(sh);
+	return NULL;
+}
+
+semanage_handle_t *semanage_handle_create(void)
+{
+	semanage_handle_t *sh = NULL;
+	char *conf_name = NULL;
+
+	if ((conf_name = semanage_conf_path()) == NULL)
+		goto err;
+
+	if ((sh = semanage_handle_create_with_path(conf_name)) == NULL)
+		goto err;
+
 	free(conf_name);
 
 	return sh;
 
       err:
 	free(conf_name);
-	semanage_handle_destroy(sh);
 	return NULL;
 }
 
diff --git a/libsemanage/src/libsemanage.map b/libsemanage/src/libsemanage.map
index c8214b26..8d7d8b05 100644
--- a/libsemanage/src/libsemanage.map
+++ b/libsemanage/src/libsemanage.map
@@ -350,3 +350,7 @@ LIBSEMANAGE_3.4 {
     semanage_module_compute_checksum;
     semanage_set_check_ext_changes;
 } LIBSEMANAGE_1.1;
+
+LIBSEMANAGE_3.9 {
+    semanage_handle_create_with_path;
+} LIBSEMANAGE_3.4;
-- 
2.47.2

[PATCH 2/2] semodule: add config argument

[Tristan Ross]

Use "semanage_handle_create_with_path" and implement a new flag for
handling semanage config files at specific paths.

Signed-off-by: Tristan Ross <tristan.ross@midstall.com>
---
 policycoreutils/semodule/semodule.c | 22 +++++++++++++++++-----
 1 file changed, 17 insertions(+), 5 deletions(-)

diff --git a/policycoreutils/semodule/semodule.c b/policycoreutils/semodule/semodule.c
index ebe062bf..ab5168eb 100644
--- a/policycoreutils/semodule/semodule.c
+++ b/policycoreutils/semodule/semodule.c
@@ -145,6 +145,7 @@ static void usage(char *progname)
 	printf("  -v,--verbose     be verbose\n");
 	printf("  -P,--preserve_tunables	Preserve tunables in policy\n");
 	printf("  -C,--ignore-module-cache	Rebuild CIL modules compiled from HLL files\n");
+	printf("  -g,--config=PATH use an alternate path for the semanage config\n");
 	printf("  -p,--path        use an alternate path for the policy root\n");
 	printf("  -S,--store-path  use an alternate path for the policy store root\n");
 	printf("  -c, --cil extract module as cil. This only affects module extraction.\n");
@@ -210,6 +211,7 @@ static void parse_command_line(int argc, char **argv)
 		{"enable", required_argument, NULL, 'e'},
 		{"disable", required_argument, NULL, 'd'},
 		{"path", required_argument, NULL, 'p'},
+		{"config", required_argument, NULL, 'g'},
 		{"store-path", required_argument, NULL, 'S'},
 		{"checksum", 0, NULL, 'm'},
 		{NULL, 0, NULL, 0}
@@ -223,7 +225,7 @@ static void parse_command_line(int argc, char **argv)
 	check_ext_changes = 0;
 	priority = 400;
 	while ((i =
-		getopt_long(argc, argv, "s:b:hi:l::vr:u:RnNBDCPX:e:d:p:S:E:cHm",
+		getopt_long(argc, argv, "s:b:hi:l::vr:u:RnNBDCPX:e:d:p:g:S:E:cHm",
 			    opts, &longind)) != -1) {
 		switch (i) {
 		case '\0':
@@ -304,6 +306,14 @@ static void parse_command_line(int argc, char **argv)
 		case 'C':
 			ignore_module_cache = 1;
 			break;
+		case 'g':
+			sh = semanage_handle_create_with_path(optarg);
+			if (!sh) {
+				fprintf(stderr, "%s:  Could not create semanage handle\n",
+					argv[0]);
+				exit(1);
+			}
+			break;
 		case 'X':
 			set_mode(PRIORITY_M, optarg);
 			break;
@@ -421,11 +431,13 @@ int main(int argc, char *argv[])
 	if (build || check_ext_changes)
 		commit = 1;
 
-	sh = semanage_handle_create();
 	if (!sh) {
-		fprintf(stderr, "%s:  Could not create semanage handle\n",
-			argv[0]);
-		goto cleanup_nohandle;
+		sh = semanage_handle_create();
+		if (!sh) {
+			fprintf(stderr, "%s:  Could not create semanage handle\n",
+				argv[0]);
+			goto cleanup_nohandle;
+		}
 	}
 
 	if (store) {
-- 
2.47.2

[PATCH 1/2] libsemanage: add semanage_handle_create_with_path

[Tristan Ross]

Adds "semanage_handle_create_with_path" to create an semanage handle
with a config file from a specific path. This is useful for baking
SELinux policy generation into a Nix derivation.

Signed-off-by: Tristan Ross <tristan.ross@midstall.com>
---
 libsemanage/include/semanage/handle.h |  6 +++++-
 libsemanage/src/handle.c              | 26 +++++++++++++++++++-------
 libsemanage/src/libsemanage.map       |  4 ++++
 3 files changed, 28 insertions(+), 8 deletions(-)

diff --git a/libsemanage/include/semanage/handle.h b/libsemanage/include/semanage/handle.h
index a5ea31de..601cd9ee 100644
--- a/libsemanage/include/semanage/handle.h
+++ b/libsemanage/include/semanage/handle.h
@@ -30,7 +30,11 @@
 struct semanage_handle;
 typedef struct semanage_handle semanage_handle_t;
 
-/* Create and return a semanage handle.
+/* Create and return a semanage handle with a specific config path.
+   The handle is initially in the disconnected state. */
+semanage_handle_t *semanage_handle_create_with_path(const char *conf_name);
+
+/* Create and return a semanage handle with the default config path.
    The handle is initially in the disconnected state. */
 extern semanage_handle_t *semanage_handle_create(void);
 
diff --git a/libsemanage/src/handle.c b/libsemanage/src/handle.c
index faea0606..ca57702a 100644
--- a/libsemanage/src/handle.c
+++ b/libsemanage/src/handle.c
@@ -59,19 +59,14 @@ const char * semanage_root(void)
 	return private_semanage_root;
 }
 
-
-semanage_handle_t *semanage_handle_create(void)
+semanage_handle_t *semanage_handle_create_with_path(const char *conf_name)
 {
 	semanage_handle_t *sh = NULL;
-	char *conf_name = NULL;
 
 	/* Allocate handle */
 	if ((sh = calloc(1, sizeof(semanage_handle_t))) == NULL)
 		goto err;
 
-	if ((conf_name = semanage_conf_path()) == NULL)
-		goto err;
-
 	if ((sh->conf = semanage_conf_parse(conf_name)) == NULL)
 		goto err;
 
@@ -106,13 +101,30 @@ semanage_handle_t *semanage_handle_create(void)
 	sh->msg_callback = semanage_msg_default_handler;
 	sh->msg_callback_arg = NULL;
 
+	return sh;
+
+      err:
+	semanage_handle_destroy(sh);
+	return NULL;
+}
+
+semanage_handle_t *semanage_handle_create(void)
+{
+	semanage_handle_t *sh = NULL;
+	char *conf_name = NULL;
+
+	if ((conf_name = semanage_conf_path()) == NULL)
+		goto err;
+
+	if ((sh = semanage_handle_create_with_path(conf_name)) == NULL)
+		goto err;
+
 	free(conf_name);
 
 	return sh;
 
       err:
 	free(conf_name);
-	semanage_handle_destroy(sh);
 	return NULL;
 }
 
diff --git a/libsemanage/src/libsemanage.map b/libsemanage/src/libsemanage.map
index c8214b26..8d7d8b05 100644
--- a/libsemanage/src/libsemanage.map
+++ b/libsemanage/src/libsemanage.map
@@ -350,3 +350,7 @@ LIBSEMANAGE_3.4 {
     semanage_module_compute_checksum;
     semanage_set_check_ext_changes;
 } LIBSEMANAGE_1.1;
+
+LIBSEMANAGE_3.9 {
+    semanage_handle_create_with_path;
+} LIBSEMANAGE_3.4;
-- 
2.47.2

[PATCH 2/2] semodule: add config argument

[Tristan Ross]

Use "semanage_handle_create_with_path" and implement a new flag for
handling semanage config files at specific paths.

Signed-off-by: Tristan Ross <tristan.ross@midstall.com>
---
 policycoreutils/semodule/semodule.8 |  3 +++
 policycoreutils/semodule/semodule.c | 22 +++++++++++++++++-----
 2 files changed, 20 insertions(+), 5 deletions(-)

diff --git a/policycoreutils/semodule/semodule.8 b/policycoreutils/semodule/semodule.8
index 00c60c1e..ae928611 100644
--- a/policycoreutils/semodule/semodule.8
+++ b/policycoreutils/semodule/semodule.8
@@ -86,6 +86,9 @@ Preserve tunables in policy
 .B \-C,\-\-ignore-module-cache
 Recompile CIL modules built from HLL files
 .TP
+.B \-g,\-\-config=PATH
+use an alternate path for the semanage config
+.TP
 .B \-p,\-\-path
 Use an alternate path for the policy root
 .TP
diff --git a/policycoreutils/semodule/semodule.c b/policycoreutils/semodule/semodule.c
index ebe062bf..ab5168eb 100644
--- a/policycoreutils/semodule/semodule.c
+++ b/policycoreutils/semodule/semodule.c
@@ -145,6 +145,7 @@ static void usage(char *progname)
 	printf("  -v,--verbose     be verbose\n");
 	printf("  -P,--preserve_tunables	Preserve tunables in policy\n");
 	printf("  -C,--ignore-module-cache	Rebuild CIL modules compiled from HLL files\n");
+	printf("  -g,--config=PATH use an alternate path for the semanage config\n");
 	printf("  -p,--path        use an alternate path for the policy root\n");
 	printf("  -S,--store-path  use an alternate path for the policy store root\n");
 	printf("  -c, --cil extract module as cil. This only affects module extraction.\n");
@@ -210,6 +211,7 @@ static void parse_command_line(int argc, char **argv)
 		{"enable", required_argument, NULL, 'e'},
 		{"disable", required_argument, NULL, 'd'},
 		{"path", required_argument, NULL, 'p'},
+		{"config", required_argument, NULL, 'g'},
 		{"store-path", required_argument, NULL, 'S'},
 		{"checksum", 0, NULL, 'm'},
 		{NULL, 0, NULL, 0}
@@ -223,7 +225,7 @@ static void parse_command_line(int argc, char **argv)
 	check_ext_changes = 0;
 	priority = 400;
 	while ((i =
-		getopt_long(argc, argv, "s:b:hi:l::vr:u:RnNBDCPX:e:d:p:S:E:cHm",
+		getopt_long(argc, argv, "s:b:hi:l::vr:u:RnNBDCPX:e:d:p:g:S:E:cHm",
 			    opts, &longind)) != -1) {
 		switch (i) {
 		case '\0':
@@ -304,6 +306,14 @@ static void parse_command_line(int argc, char **argv)
 		case 'C':
 			ignore_module_cache = 1;
 			break;
+		case 'g':
+			sh = semanage_handle_create_with_path(optarg);
+			if (!sh) {
+				fprintf(stderr, "%s:  Could not create semanage handle\n",
+					argv[0]);
+				exit(1);
+			}
+			break;
 		case 'X':
 			set_mode(PRIORITY_M, optarg);
 			break;
@@ -421,11 +431,13 @@ int main(int argc, char *argv[])
 	if (build || check_ext_changes)
 		commit = 1;
 
-	sh = semanage_handle_create();
 	if (!sh) {
-		fprintf(stderr, "%s:  Could not create semanage handle\n",
-			argv[0]);
-		goto cleanup_nohandle;
+		sh = semanage_handle_create();
+		if (!sh) {
+			fprintf(stderr, "%s:  Could not create semanage handle\n",
+				argv[0]);
+			goto cleanup_nohandle;
+		}
 	}
 
 	if (store) {
-- 
2.47.2

Re: [PATCH 1/2] libsemanage: add semanage_handle_create_with_path

[James Carter]

On Fri, Apr 25, 2025 at 2:09 PM Tristan Ross <tristan.ross@midstall.com> wrote:
>
> Adds "semanage_handle_create_with_path" to create an semanage handle
> with a config file from a specific path. This is useful for baking
> SELinux policy generation into a Nix derivation.
>
> Signed-off-by: Tristan Ross <tristan.ross@midstall.com>

For these two patches:
Acked-by: James Carter <jwcart2@gmail.com>

> ---
>  libsemanage/include/semanage/handle.h |  6 +++++-
>  libsemanage/src/handle.c              | 26 +++++++++++++++++++-------
>  libsemanage/src/libsemanage.map       |  4 ++++
>  3 files changed, 28 insertions(+), 8 deletions(-)
>
> diff --git a/libsemanage/include/semanage/handle.h b/libsemanage/include/semanage/handle.h
> index a5ea31de..601cd9ee 100644
> --- a/libsemanage/include/semanage/handle.h
> +++ b/libsemanage/include/semanage/handle.h
> @@ -30,7 +30,11 @@
>  struct semanage_handle;
>  typedef struct semanage_handle semanage_handle_t;
>
> -/* Create and return a semanage handle.
> +/* Create and return a semanage handle with a specific config path.
> +   The handle is initially in the disconnected state. */
> +semanage_handle_t *semanage_handle_create_with_path(const char *conf_name);
> +
> +/* Create and return a semanage handle with the default config path.
>     The handle is initially in the disconnected state. */
>  extern semanage_handle_t *semanage_handle_create(void);
>
> diff --git a/libsemanage/src/handle.c b/libsemanage/src/handle.c
> index faea0606..ca57702a 100644
> --- a/libsemanage/src/handle.c
> +++ b/libsemanage/src/handle.c
> @@ -59,19 +59,14 @@ const char * semanage_root(void)
>         return private_semanage_root;
>  }
>
> -
> -semanage_handle_t *semanage_handle_create(void)
> +semanage_handle_t *semanage_handle_create_with_path(const char *conf_name)
>  {
>         semanage_handle_t *sh = NULL;
> -       char *conf_name = NULL;
>
>         /* Allocate handle */
>         if ((sh = calloc(1, sizeof(semanage_handle_t))) == NULL)
>                 goto err;
>
> -       if ((conf_name = semanage_conf_path()) == NULL)
> -               goto err;
> -
>         if ((sh->conf = semanage_conf_parse(conf_name)) == NULL)
>                 goto err;
>
> @@ -106,13 +101,30 @@ semanage_handle_t *semanage_handle_create(void)
>         sh->msg_callback = semanage_msg_default_handler;
>         sh->msg_callback_arg = NULL;
>
> +       return sh;
> +
> +      err:
> +       semanage_handle_destroy(sh);
> +       return NULL;
> +}
> +
> +semanage_handle_t *semanage_handle_create(void)
> +{
> +       semanage_handle_t *sh = NULL;
> +       char *conf_name = NULL;
> +
> +       if ((conf_name = semanage_conf_path()) == NULL)
> +               goto err;
> +
> +       if ((sh = semanage_handle_create_with_path(conf_name)) == NULL)
> +               goto err;
> +
>         free(conf_name);
>
>         return sh;
>
>        err:
>         free(conf_name);
> -       semanage_handle_destroy(sh);
>         return NULL;
>  }
>
> diff --git a/libsemanage/src/libsemanage.map b/libsemanage/src/libsemanage.map
> index c8214b26..8d7d8b05 100644
> --- a/libsemanage/src/libsemanage.map
> +++ b/libsemanage/src/libsemanage.map
> @@ -350,3 +350,7 @@ LIBSEMANAGE_3.4 {
>      semanage_module_compute_checksum;
>      semanage_set_check_ext_changes;
>  } LIBSEMANAGE_1.1;
> +
> +LIBSEMANAGE_3.9 {
> +    semanage_handle_create_with_path;
> +} LIBSEMANAGE_3.4;
> --
> 2.47.2
>
>

Re: [PATCH 1/2] libsemanage: add semanage_handle_create_with_path

[James Carter]

On Tue, Apr 29, 2025 at 11:18 AM James Carter <jwcart2@gmail.com> wrote:
>
> On Fri, Apr 25, 2025 at 2:09 PM Tristan Ross <tristan.ross@midstall.com> wrote:
> >
> > Adds "semanage_handle_create_with_path" to create an semanage handle
> > with a config file from a specific path. This is useful for baking
> > SELinux policy generation into a Nix derivation.
> >
> > Signed-off-by: Tristan Ross <tristan.ross@midstall.com>
>
> For these two patches:
> Acked-by: James Carter <jwcart2@gmail.com>
>

These two patches have been merged.
Thanks,
Jim

> > ---
> >  libsemanage/include/semanage/handle.h |  6 +++++-
> >  libsemanage/src/handle.c              | 26 +++++++++++++++++++-------
> >  libsemanage/src/libsemanage.map       |  4 ++++
> >  3 files changed, 28 insertions(+), 8 deletions(-)
> >
> > diff --git a/libsemanage/include/semanage/handle.h b/libsemanage/include/semanage/handle.h
> > index a5ea31de..601cd9ee 100644
> > --- a/libsemanage/include/semanage/handle.h
> > +++ b/libsemanage/include/semanage/handle.h
> > @@ -30,7 +30,11 @@
> >  struct semanage_handle;
> >  typedef struct semanage_handle semanage_handle_t;
> >
> > -/* Create and return a semanage handle.
> > +/* Create and return a semanage handle with a specific config path.
> > +   The handle is initially in the disconnected state. */
> > +semanage_handle_t *semanage_handle_create_with_path(const char *conf_name);
> > +
> > +/* Create and return a semanage handle with the default config path.
> >     The handle is initially in the disconnected state. */
> >  extern semanage_handle_t *semanage_handle_create(void);
> >
> > diff --git a/libsemanage/src/handle.c b/libsemanage/src/handle.c
> > index faea0606..ca57702a 100644
> > --- a/libsemanage/src/handle.c
> > +++ b/libsemanage/src/handle.c
> > @@ -59,19 +59,14 @@ const char * semanage_root(void)
> >         return private_semanage_root;
> >  }
> >
> > -
> > -semanage_handle_t *semanage_handle_create(void)
> > +semanage_handle_t *semanage_handle_create_with_path(const char *conf_name)
> >  {
> >         semanage_handle_t *sh = NULL;
> > -       char *conf_name = NULL;
> >
> >         /* Allocate handle */
> >         if ((sh = calloc(1, sizeof(semanage_handle_t))) == NULL)
> >                 goto err;
> >
> > -       if ((conf_name = semanage_conf_path()) == NULL)
> > -               goto err;
> > -
> >         if ((sh->conf = semanage_conf_parse(conf_name)) == NULL)
> >                 goto err;
> >
> > @@ -106,13 +101,30 @@ semanage_handle_t *semanage_handle_create(void)
> >         sh->msg_callback = semanage_msg_default_handler;
> >         sh->msg_callback_arg = NULL;
> >
> > +       return sh;
> > +
> > +      err:
> > +       semanage_handle_destroy(sh);
> > +       return NULL;
> > +}
> > +
> > +semanage_handle_t *semanage_handle_create(void)
> > +{
> > +       semanage_handle_t *sh = NULL;
> > +       char *conf_name = NULL;
> > +
> > +       if ((conf_name = semanage_conf_path()) == NULL)
> > +               goto err;
> > +
> > +       if ((sh = semanage_handle_create_with_path(conf_name)) == NULL)
> > +               goto err;
> > +
> >         free(conf_name);
> >
> >         return sh;
> >
> >        err:
> >         free(conf_name);
> > -       semanage_handle_destroy(sh);
> >         return NULL;
> >  }
> >
> > diff --git a/libsemanage/src/libsemanage.map b/libsemanage/src/libsemanage.map
> > index c8214b26..8d7d8b05 100644
> > --- a/libsemanage/src/libsemanage.map
> > +++ b/libsemanage/src/libsemanage.map
> > @@ -350,3 +350,7 @@ LIBSEMANAGE_3.4 {
> >      semanage_module_compute_checksum;
> >      semanage_set_check_ext_changes;
> >  } LIBSEMANAGE_1.1;
> > +
> > +LIBSEMANAGE_3.9 {
> > +    semanage_handle_create_with_path;
> > +} LIBSEMANAGE_3.4;
> > --
> > 2.47.2
> >
> >