2008-08-19 19:30:36 +00:00
|
|
|
/* Authors: Karl MacMillan <kmacmillan@tresys.com>
|
|
|
|
* Joshua Brindle <jbrindle@tresys.com>
|
|
|
|
* Jason Tang <jtang@tresys.com>
|
|
|
|
*
|
|
|
|
* Copyright (C) 2004-2005 Tresys Technology, LLC
|
|
|
|
* This program is free software; you can redistribute it and/or
|
|
|
|
* modify it under the terms of the GNU General Public License as
|
|
|
|
* published by the Free Software Foundation, version 2.
|
|
|
|
*/
|
|
|
|
|
|
|
|
#include <fcntl.h>
|
|
|
|
#include <getopt.h>
|
|
|
|
#include <signal.h>
|
|
|
|
#include <stdio.h>
|
|
|
|
#include <stdlib.h>
|
|
|
|
#include <errno.h>
|
|
|
|
#include <string.h>
|
|
|
|
#include <unistd.h>
|
|
|
|
#include <sys/mman.h>
|
|
|
|
#include <sys/stat.h>
|
|
|
|
#include <sys/types.h>
|
2013-10-09 21:54:02 +00:00
|
|
|
#include <libgen.h>
|
policycoreutils/semodule: update semodule to allow extracting modules
Add --extract/-E, --cil/-c, and --hll/-H to extract modules. If -c/-H
are not provided, the module will be output as HLL by default. Only
--cil or --hll (which will use the lang_ext in the semodule store) are valid
options to use with -E. The module is written to the current working directory
as <module_name>.<lang_ext>.
If a module exists as HLL and is exported as CIL, it will first compile into
CIL and cache to the module store. Once compiled, exporting will
continue.
If no priority is provided when extracting a module, then extraction at
the default priority, 400, will be attempted. If the module does not
exist at the default priority, then it will be exported at the highest
existing priority.
Examples:
Extract the wireshark module in a .cil format. If the module only exists
as HLL on the system, the module will be compiled into CIL and placed
into the module store. This command will then write wireshark.cil to the CWD.
semodule --cil --extract wireshark
Extract the wireshark module in HLL format. Since the original HLL file
was a policy package, a wireshark.pp will be written to the CWD.
semodule -E wireshark
Extract the wireshark module as CIL and HLL and extract the puppet
module as CIL at priority 400.
semodule --hll -E wireshark --cil -E wireshark -X 400 --cil -E puppet
Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2015-08-06 14:30:14 +00:00
|
|
|
#include <limits.h>
|
2008-08-19 19:30:36 +00:00
|
|
|
|
2019-10-21 05:55:05 +00:00
|
|
|
#include <sepol/cil/cil.h>
|
2008-08-19 19:30:36 +00:00
|
|
|
#include <semanage/modules.h>
|
|
|
|
|
2021-11-16 13:27:11 +00:00
|
|
|
#include "sha256.h"
|
|
|
|
|
semodule: add priority, enabled, and extended listing
This updates the semodule tool with the ability to set the priority for
commands, to enable/disable modules, and extended module listing options
for displaying extra module information (e.g., priority, enabled status,
and language extension).
[semodule priority]
-X --priority set the priority for following operations
Notes:
* This sets the priority for the following operations.
* It can be used any number of times with its effect continuing until
the next priority is specified.
* The default priority is used if no priority has yet been specified.
Impact on current operations:
* Install module
* Without priority - Install at default priority.
* With priority - Install at specified priority.
* New warning when overriding (issued by libsemanage).
* Upgrade module
* Without priority - Upgrade at default priority (current upgrade
semantics apply).
* With priority - Upgrade at specified priority (current upgrade
semantics apply).
* New warning when overriding (issued by libsemanage).
* Remove module
* Without priority - Remove a module at the default if exists.
* With priority - Remove at that priority.
* New info messages (issued by libsemanage):
* If no modules exist at the given priority but do exist at other
priorities, give an info message listing the modules and priority.
* If a new module at a lower priority will become active print a
message.
* If the last module with this name is being removed print a
message.
* Base
* The name of base module on install is fixed to "_base" (performed by
libsemanage).
* Without priority - Install at default priority.
* With priority - Install at specified priority.
* New warning when overriding (issued by libsemanage).
* List modules
* See listing changes below.
Examples:
semodule -i foo.pp
semodule -X 500 -i foo.pp
[semodule enable/disable]
Add enable/disable status:
-e --enable enable the module (at all priorities)
-d --disable disable the module (at all priorities)
Notes:
* Base modules are always enabled and cannot have their enabled/disabled
status changed.
* New error when disabling a base module (from libsemanage).
* New warning when enabling a base module (from libsemanage).
Impact on current operations:
* Install module
* If a module with that name is already installed, then the enabled
status will remain the same after installing the new module.
* New warning when installing a module which will be disabled by
existing enabled status (from libsemanage).
* Upgrade module
* If a module with that name is already installed, then the enabled
status will remain the same after installing the new module.
* New warning when installing a module which will be disabled by
existing enabled status (from libsemanage).
* Remove module
* When the last module with a given name is removed (no more exist at
other priorities) then the enabled status is forgotten.
* Base
* Base modules are always installed enabled and remain so (can't be
disabled).
* List modules
* See listing changes below.
Examples:
semodule -e foo
semodule -d foo
[semodule list]
-l --list list modules as if by -lstandard
-lstandard --list=standard list name and version of highest priority,
enabled, non-base modules sorted alphabetical
by name
-lfull --list=full list all fields of all modules columnated
sorted high priority to low, within priority
alphabetical by name
Impact on current operations:
* List modules
* Default listing stays the same.
* New long options for 'standard' and 'full'.
Examples:
semodule -l
semodule -lstandard
semodule --list=standard
alsa 1.7.1
apm 1.9.1
apt 1.5.2
authlogin 2.0.0
avahi 1.10.3
bluetooth 3.1.3
...
semodule -lfull
semodule --list=full
600 alsa 1.7.1 disabled pp
400 _base 1.0.0 pp
400 alsa 1.7.1 disabled pp
400 apm 1.9.1 pp
400 apt 1.5.2 pp
400 authlogin 2.0.0 pp
...
100 alsa 1.7.1 disabled pp
Signed-off-by: Chad Sellers <csellers@tresys.com>
2009-12-23 23:25:59 +00:00
|
|
|
enum client_modes {
|
policycoreutils/semodule: update semodule to allow extracting modules
Add --extract/-E, --cil/-c, and --hll/-H to extract modules. If -c/-H
are not provided, the module will be output as HLL by default. Only
--cil or --hll (which will use the lang_ext in the semodule store) are valid
options to use with -E. The module is written to the current working directory
as <module_name>.<lang_ext>.
If a module exists as HLL and is exported as CIL, it will first compile into
CIL and cache to the module store. Once compiled, exporting will
continue.
If no priority is provided when extracting a module, then extraction at
the default priority, 400, will be attempted. If the module does not
exist at the default priority, then it will be exported at the highest
existing priority.
Examples:
Extract the wireshark module in a .cil format. If the module only exists
as HLL on the system, the module will be compiled into CIL and placed
into the module store. This command will then write wireshark.cil to the CWD.
semodule --cil --extract wireshark
Extract the wireshark module in HLL format. Since the original HLL file
was a policy package, a wireshark.pp will be written to the CWD.
semodule -E wireshark
Extract the wireshark module as CIL and HLL and extract the puppet
module as CIL at priority 400.
semodule --hll -E wireshark --cil -E wireshark -X 400 --cil -E puppet
Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2015-08-06 14:30:14 +00:00
|
|
|
NO_MODE, INSTALL_M, REMOVE_M, EXTRACT_M, CIL_M, HLL_M,
|
semodule: add priority, enabled, and extended listing
This updates the semodule tool with the ability to set the priority for
commands, to enable/disable modules, and extended module listing options
for displaying extra module information (e.g., priority, enabled status,
and language extension).
[semodule priority]
-X --priority set the priority for following operations
Notes:
* This sets the priority for the following operations.
* It can be used any number of times with its effect continuing until
the next priority is specified.
* The default priority is used if no priority has yet been specified.
Impact on current operations:
* Install module
* Without priority - Install at default priority.
* With priority - Install at specified priority.
* New warning when overriding (issued by libsemanage).
* Upgrade module
* Without priority - Upgrade at default priority (current upgrade
semantics apply).
* With priority - Upgrade at specified priority (current upgrade
semantics apply).
* New warning when overriding (issued by libsemanage).
* Remove module
* Without priority - Remove a module at the default if exists.
* With priority - Remove at that priority.
* New info messages (issued by libsemanage):
* If no modules exist at the given priority but do exist at other
priorities, give an info message listing the modules and priority.
* If a new module at a lower priority will become active print a
message.
* If the last module with this name is being removed print a
message.
* Base
* The name of base module on install is fixed to "_base" (performed by
libsemanage).
* Without priority - Install at default priority.
* With priority - Install at specified priority.
* New warning when overriding (issued by libsemanage).
* List modules
* See listing changes below.
Examples:
semodule -i foo.pp
semodule -X 500 -i foo.pp
[semodule enable/disable]
Add enable/disable status:
-e --enable enable the module (at all priorities)
-d --disable disable the module (at all priorities)
Notes:
* Base modules are always enabled and cannot have their enabled/disabled
status changed.
* New error when disabling a base module (from libsemanage).
* New warning when enabling a base module (from libsemanage).
Impact on current operations:
* Install module
* If a module with that name is already installed, then the enabled
status will remain the same after installing the new module.
* New warning when installing a module which will be disabled by
existing enabled status (from libsemanage).
* Upgrade module
* If a module with that name is already installed, then the enabled
status will remain the same after installing the new module.
* New warning when installing a module which will be disabled by
existing enabled status (from libsemanage).
* Remove module
* When the last module with a given name is removed (no more exist at
other priorities) then the enabled status is forgotten.
* Base
* Base modules are always installed enabled and remain so (can't be
disabled).
* List modules
* See listing changes below.
Examples:
semodule -e foo
semodule -d foo
[semodule list]
-l --list list modules as if by -lstandard
-lstandard --list=standard list name and version of highest priority,
enabled, non-base modules sorted alphabetical
by name
-lfull --list=full list all fields of all modules columnated
sorted high priority to low, within priority
alphabetical by name
Impact on current operations:
* List modules
* Default listing stays the same.
* New long options for 'standard' and 'full'.
Examples:
semodule -l
semodule -lstandard
semodule --list=standard
alsa 1.7.1
apm 1.9.1
apt 1.5.2
authlogin 2.0.0
avahi 1.10.3
bluetooth 3.1.3
...
semodule -lfull
semodule --list=full
600 alsa 1.7.1 disabled pp
400 _base 1.0.0 pp
400 alsa 1.7.1 disabled pp
400 apm 1.9.1 pp
400 apt 1.5.2 pp
400 authlogin 2.0.0 pp
...
100 alsa 1.7.1 disabled pp
Signed-off-by: Chad Sellers <csellers@tresys.com>
2009-12-23 23:25:59 +00:00
|
|
|
LIST_M, RELOAD, PRIORITY_M, ENABLE_M, DISABLE_M
|
2008-08-19 19:30:36 +00:00
|
|
|
};
|
|
|
|
/* list of modes in which one ought to commit afterwards */
|
|
|
|
static const int do_commit[] = {
|
policycoreutils/semodule: update semodule to allow extracting modules
Add --extract/-E, --cil/-c, and --hll/-H to extract modules. If -c/-H
are not provided, the module will be output as HLL by default. Only
--cil or --hll (which will use the lang_ext in the semodule store) are valid
options to use with -E. The module is written to the current working directory
as <module_name>.<lang_ext>.
If a module exists as HLL and is exported as CIL, it will first compile into
CIL and cache to the module store. Once compiled, exporting will
continue.
If no priority is provided when extracting a module, then extraction at
the default priority, 400, will be attempted. If the module does not
exist at the default priority, then it will be exported at the highest
existing priority.
Examples:
Extract the wireshark module in a .cil format. If the module only exists
as HLL on the system, the module will be compiled into CIL and placed
into the module store. This command will then write wireshark.cil to the CWD.
semodule --cil --extract wireshark
Extract the wireshark module in HLL format. Since the original HLL file
was a policy package, a wireshark.pp will be written to the CWD.
semodule -E wireshark
Extract the wireshark module as CIL and HLL and extract the puppet
module as CIL at priority 400.
semodule --hll -E wireshark --cil -E wireshark -X 400 --cil -E puppet
Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2015-08-06 14:30:14 +00:00
|
|
|
0, 1, 1, 0, 0, 0,
|
semodule: add priority, enabled, and extended listing
This updates the semodule tool with the ability to set the priority for
commands, to enable/disable modules, and extended module listing options
for displaying extra module information (e.g., priority, enabled status,
and language extension).
[semodule priority]
-X --priority set the priority for following operations
Notes:
* This sets the priority for the following operations.
* It can be used any number of times with its effect continuing until
the next priority is specified.
* The default priority is used if no priority has yet been specified.
Impact on current operations:
* Install module
* Without priority - Install at default priority.
* With priority - Install at specified priority.
* New warning when overriding (issued by libsemanage).
* Upgrade module
* Without priority - Upgrade at default priority (current upgrade
semantics apply).
* With priority - Upgrade at specified priority (current upgrade
semantics apply).
* New warning when overriding (issued by libsemanage).
* Remove module
* Without priority - Remove a module at the default if exists.
* With priority - Remove at that priority.
* New info messages (issued by libsemanage):
* If no modules exist at the given priority but do exist at other
priorities, give an info message listing the modules and priority.
* If a new module at a lower priority will become active print a
message.
* If the last module with this name is being removed print a
message.
* Base
* The name of base module on install is fixed to "_base" (performed by
libsemanage).
* Without priority - Install at default priority.
* With priority - Install at specified priority.
* New warning when overriding (issued by libsemanage).
* List modules
* See listing changes below.
Examples:
semodule -i foo.pp
semodule -X 500 -i foo.pp
[semodule enable/disable]
Add enable/disable status:
-e --enable enable the module (at all priorities)
-d --disable disable the module (at all priorities)
Notes:
* Base modules are always enabled and cannot have their enabled/disabled
status changed.
* New error when disabling a base module (from libsemanage).
* New warning when enabling a base module (from libsemanage).
Impact on current operations:
* Install module
* If a module with that name is already installed, then the enabled
status will remain the same after installing the new module.
* New warning when installing a module which will be disabled by
existing enabled status (from libsemanage).
* Upgrade module
* If a module with that name is already installed, then the enabled
status will remain the same after installing the new module.
* New warning when installing a module which will be disabled by
existing enabled status (from libsemanage).
* Remove module
* When the last module with a given name is removed (no more exist at
other priorities) then the enabled status is forgotten.
* Base
* Base modules are always installed enabled and remain so (can't be
disabled).
* List modules
* See listing changes below.
Examples:
semodule -e foo
semodule -d foo
[semodule list]
-l --list list modules as if by -lstandard
-lstandard --list=standard list name and version of highest priority,
enabled, non-base modules sorted alphabetical
by name
-lfull --list=full list all fields of all modules columnated
sorted high priority to low, within priority
alphabetical by name
Impact on current operations:
* List modules
* Default listing stays the same.
* New long options for 'standard' and 'full'.
Examples:
semodule -l
semodule -lstandard
semodule --list=standard
alsa 1.7.1
apm 1.9.1
apt 1.5.2
authlogin 2.0.0
avahi 1.10.3
bluetooth 3.1.3
...
semodule -lfull
semodule --list=full
600 alsa 1.7.1 disabled pp
400 _base 1.0.0 pp
400 alsa 1.7.1 disabled pp
400 apm 1.9.1 pp
400 apt 1.5.2 pp
400 authlogin 2.0.0 pp
...
100 alsa 1.7.1 disabled pp
Signed-off-by: Chad Sellers <csellers@tresys.com>
2009-12-23 23:25:59 +00:00
|
|
|
0, 0, 0, 1, 1,
|
2008-08-19 19:30:36 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
struct command {
|
|
|
|
enum client_modes mode;
|
|
|
|
char *arg;
|
|
|
|
};
|
|
|
|
static struct command *commands = NULL;
|
|
|
|
static int num_commands = 0;
|
|
|
|
|
|
|
|
/* options given on command line */
|
|
|
|
static int verbose;
|
|
|
|
static int reload;
|
|
|
|
static int no_reload;
|
|
|
|
static int build;
|
|
|
|
static int disable_dontaudit;
|
2011-09-01 03:29:46 +00:00
|
|
|
static int preserve_tunables;
|
2014-02-27 16:56:34 +00:00
|
|
|
static int ignore_module_cache;
|
semodule: add priority, enabled, and extended listing
This updates the semodule tool with the ability to set the priority for
commands, to enable/disable modules, and extended module listing options
for displaying extra module information (e.g., priority, enabled status,
and language extension).
[semodule priority]
-X --priority set the priority for following operations
Notes:
* This sets the priority for the following operations.
* It can be used any number of times with its effect continuing until
the next priority is specified.
* The default priority is used if no priority has yet been specified.
Impact on current operations:
* Install module
* Without priority - Install at default priority.
* With priority - Install at specified priority.
* New warning when overriding (issued by libsemanage).
* Upgrade module
* Without priority - Upgrade at default priority (current upgrade
semantics apply).
* With priority - Upgrade at specified priority (current upgrade
semantics apply).
* New warning when overriding (issued by libsemanage).
* Remove module
* Without priority - Remove a module at the default if exists.
* With priority - Remove at that priority.
* New info messages (issued by libsemanage):
* If no modules exist at the given priority but do exist at other
priorities, give an info message listing the modules and priority.
* If a new module at a lower priority will become active print a
message.
* If the last module with this name is being removed print a
message.
* Base
* The name of base module on install is fixed to "_base" (performed by
libsemanage).
* Without priority - Install at default priority.
* With priority - Install at specified priority.
* New warning when overriding (issued by libsemanage).
* List modules
* See listing changes below.
Examples:
semodule -i foo.pp
semodule -X 500 -i foo.pp
[semodule enable/disable]
Add enable/disable status:
-e --enable enable the module (at all priorities)
-d --disable disable the module (at all priorities)
Notes:
* Base modules are always enabled and cannot have their enabled/disabled
status changed.
* New error when disabling a base module (from libsemanage).
* New warning when enabling a base module (from libsemanage).
Impact on current operations:
* Install module
* If a module with that name is already installed, then the enabled
status will remain the same after installing the new module.
* New warning when installing a module which will be disabled by
existing enabled status (from libsemanage).
* Upgrade module
* If a module with that name is already installed, then the enabled
status will remain the same after installing the new module.
* New warning when installing a module which will be disabled by
existing enabled status (from libsemanage).
* Remove module
* When the last module with a given name is removed (no more exist at
other priorities) then the enabled status is forgotten.
* Base
* Base modules are always installed enabled and remain so (can't be
disabled).
* List modules
* See listing changes below.
Examples:
semodule -e foo
semodule -d foo
[semodule list]
-l --list list modules as if by -lstandard
-lstandard --list=standard list name and version of highest priority,
enabled, non-base modules sorted alphabetical
by name
-lfull --list=full list all fields of all modules columnated
sorted high priority to low, within priority
alphabetical by name
Impact on current operations:
* List modules
* Default listing stays the same.
* New long options for 'standard' and 'full'.
Examples:
semodule -l
semodule -lstandard
semodule --list=standard
alsa 1.7.1
apm 1.9.1
apt 1.5.2
authlogin 2.0.0
avahi 1.10.3
bluetooth 3.1.3
...
semodule -lfull
semodule --list=full
600 alsa 1.7.1 disabled pp
400 _base 1.0.0 pp
400 alsa 1.7.1 disabled pp
400 apm 1.9.1 pp
400 apt 1.5.2 pp
400 authlogin 2.0.0 pp
...
100 alsa 1.7.1 disabled pp
Signed-off-by: Chad Sellers <csellers@tresys.com>
2009-12-23 23:25:59 +00:00
|
|
|
static uint16_t priority;
|
policycoreutils/semodule: update semodule to allow extracting modules
Add --extract/-E, --cil/-c, and --hll/-H to extract modules. If -c/-H
are not provided, the module will be output as HLL by default. Only
--cil or --hll (which will use the lang_ext in the semodule store) are valid
options to use with -E. The module is written to the current working directory
as <module_name>.<lang_ext>.
If a module exists as HLL and is exported as CIL, it will first compile into
CIL and cache to the module store. Once compiled, exporting will
continue.
If no priority is provided when extracting a module, then extraction at
the default priority, 400, will be attempted. If the module does not
exist at the default priority, then it will be exported at the highest
existing priority.
Examples:
Extract the wireshark module in a .cil format. If the module only exists
as HLL on the system, the module will be compiled into CIL and placed
into the module store. This command will then write wireshark.cil to the CWD.
semodule --cil --extract wireshark
Extract the wireshark module in HLL format. Since the original HLL file
was a policy package, a wireshark.pp will be written to the CWD.
semodule -E wireshark
Extract the wireshark module as CIL and HLL and extract the puppet
module as CIL at priority 400.
semodule --hll -E wireshark --cil -E wireshark -X 400 --cil -E puppet
Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2015-08-06 14:30:14 +00:00
|
|
|
static int priority_set = 0;
|
2008-08-19 19:30:36 +00:00
|
|
|
|
|
|
|
static semanage_handle_t *sh = NULL;
|
|
|
|
static char *store;
|
2014-04-03 20:58:12 +00:00
|
|
|
static char *store_root;
|
policycoreutils/semodule: update semodule to allow extracting modules
Add --extract/-E, --cil/-c, and --hll/-H to extract modules. If -c/-H
are not provided, the module will be output as HLL by default. Only
--cil or --hll (which will use the lang_ext in the semodule store) are valid
options to use with -E. The module is written to the current working directory
as <module_name>.<lang_ext>.
If a module exists as HLL and is exported as CIL, it will first compile into
CIL and cache to the module store. Once compiled, exporting will
continue.
If no priority is provided when extracting a module, then extraction at
the default priority, 400, will be attempted. If the module does not
exist at the default priority, then it will be exported at the highest
existing priority.
Examples:
Extract the wireshark module in a .cil format. If the module only exists
as HLL on the system, the module will be compiled into CIL and placed
into the module store. This command will then write wireshark.cil to the CWD.
semodule --cil --extract wireshark
Extract the wireshark module in HLL format. Since the original HLL file
was a policy package, a wireshark.pp will be written to the CWD.
semodule -E wireshark
Extract the wireshark module as CIL and HLL and extract the puppet
module as CIL at priority 400.
semodule --hll -E wireshark --cil -E wireshark -X 400 --cil -E puppet
Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2015-08-06 14:30:14 +00:00
|
|
|
int extract_cil = 0;
|
2021-11-16 13:27:11 +00:00
|
|
|
static int checksum = 0;
|
2008-08-19 19:30:36 +00:00
|
|
|
|
|
|
|
extern char *optarg;
|
|
|
|
extern int optind;
|
|
|
|
|
|
|
|
static void cleanup(void)
|
|
|
|
{
|
|
|
|
while (--num_commands >= 0) {
|
|
|
|
free(commands[num_commands].arg);
|
|
|
|
}
|
|
|
|
free(commands);
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Signal handlers. */
|
|
|
|
static void handle_signal(int sig_num)
|
|
|
|
{
|
|
|
|
if (sig_num == SIGINT || sig_num == SIGQUIT || sig_num == SIGTERM) {
|
|
|
|
/* catch these signals, and then drop them */
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
static void set_store(char *storename)
|
|
|
|
{
|
|
|
|
/* For now this only supports a store name, later on this
|
|
|
|
* should support an address for a remote connection */
|
|
|
|
|
|
|
|
if ((store = strdup(storename)) == NULL) {
|
|
|
|
fprintf(stderr, "Out of memory!\n");
|
|
|
|
goto bad;
|
|
|
|
}
|
|
|
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
bad:
|
|
|
|
cleanup();
|
|
|
|
exit(1);
|
|
|
|
}
|
|
|
|
|
2014-04-03 20:58:12 +00:00
|
|
|
static void set_store_root(char *path)
|
|
|
|
{
|
|
|
|
if ((store_root = strdup(path)) == NULL) {
|
|
|
|
fprintf(stderr, "Out of memory!\n");
|
|
|
|
goto bad;
|
|
|
|
}
|
|
|
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
bad:
|
|
|
|
cleanup();
|
|
|
|
exit(1);
|
|
|
|
}
|
|
|
|
|
2008-08-19 19:30:36 +00:00
|
|
|
/* Establish signal handlers for the process. */
|
|
|
|
static void create_signal_handlers(void)
|
|
|
|
{
|
|
|
|
if (signal(SIGINT, handle_signal) == SIG_ERR ||
|
|
|
|
signal(SIGQUIT, handle_signal) == SIG_ERR ||
|
|
|
|
signal(SIGTERM, handle_signal) == SIG_ERR) {
|
|
|
|
fprintf(stderr, "Could not set up signal handler.\n");
|
|
|
|
exit(255);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
static void usage(char *progname)
|
|
|
|
{
|
2018-03-13 08:12:37 +00:00
|
|
|
printf("usage: %s [option]... MODE...\n", progname);
|
2008-08-19 19:30:36 +00:00
|
|
|
printf("Manage SELinux policy modules.\n");
|
|
|
|
printf("MODES:\n");
|
|
|
|
printf(" -R, --reload reload policy\n");
|
|
|
|
printf(" -B, --build build and reload policy\n");
|
2018-03-13 08:12:37 +00:00
|
|
|
printf(" -D,--disable_dontaudit Remove dontaudits from policy\n");
|
2008-08-19 19:30:36 +00:00
|
|
|
printf(" -i,--install=MODULE_PKG install a new module\n");
|
2018-03-13 08:12:37 +00:00
|
|
|
printf(" -r,--remove=MODULE_NAME remove existing module at desired priority\n");
|
2016-05-24 08:02:29 +00:00
|
|
|
printf(" -l[KIND],--list-modules[=KIND] display list of installed modules\n");
|
2014-05-16 20:49:00 +00:00
|
|
|
printf(" KIND: standard list highest priority, enabled modules\n");
|
semodule: add priority, enabled, and extended listing
This updates the semodule tool with the ability to set the priority for
commands, to enable/disable modules, and extended module listing options
for displaying extra module information (e.g., priority, enabled status,
and language extension).
[semodule priority]
-X --priority set the priority for following operations
Notes:
* This sets the priority for the following operations.
* It can be used any number of times with its effect continuing until
the next priority is specified.
* The default priority is used if no priority has yet been specified.
Impact on current operations:
* Install module
* Without priority - Install at default priority.
* With priority - Install at specified priority.
* New warning when overriding (issued by libsemanage).
* Upgrade module
* Without priority - Upgrade at default priority (current upgrade
semantics apply).
* With priority - Upgrade at specified priority (current upgrade
semantics apply).
* New warning when overriding (issued by libsemanage).
* Remove module
* Without priority - Remove a module at the default if exists.
* With priority - Remove at that priority.
* New info messages (issued by libsemanage):
* If no modules exist at the given priority but do exist at other
priorities, give an info message listing the modules and priority.
* If a new module at a lower priority will become active print a
message.
* If the last module with this name is being removed print a
message.
* Base
* The name of base module on install is fixed to "_base" (performed by
libsemanage).
* Without priority - Install at default priority.
* With priority - Install at specified priority.
* New warning when overriding (issued by libsemanage).
* List modules
* See listing changes below.
Examples:
semodule -i foo.pp
semodule -X 500 -i foo.pp
[semodule enable/disable]
Add enable/disable status:
-e --enable enable the module (at all priorities)
-d --disable disable the module (at all priorities)
Notes:
* Base modules are always enabled and cannot have their enabled/disabled
status changed.
* New error when disabling a base module (from libsemanage).
* New warning when enabling a base module (from libsemanage).
Impact on current operations:
* Install module
* If a module with that name is already installed, then the enabled
status will remain the same after installing the new module.
* New warning when installing a module which will be disabled by
existing enabled status (from libsemanage).
* Upgrade module
* If a module with that name is already installed, then the enabled
status will remain the same after installing the new module.
* New warning when installing a module which will be disabled by
existing enabled status (from libsemanage).
* Remove module
* When the last module with a given name is removed (no more exist at
other priorities) then the enabled status is forgotten.
* Base
* Base modules are always installed enabled and remain so (can't be
disabled).
* List modules
* See listing changes below.
Examples:
semodule -e foo
semodule -d foo
[semodule list]
-l --list list modules as if by -lstandard
-lstandard --list=standard list name and version of highest priority,
enabled, non-base modules sorted alphabetical
by name
-lfull --list=full list all fields of all modules columnated
sorted high priority to low, within priority
alphabetical by name
Impact on current operations:
* List modules
* Default listing stays the same.
* New long options for 'standard' and 'full'.
Examples:
semodule -l
semodule -lstandard
semodule --list=standard
alsa 1.7.1
apm 1.9.1
apt 1.5.2
authlogin 2.0.0
avahi 1.10.3
bluetooth 3.1.3
...
semodule -lfull
semodule --list=full
600 alsa 1.7.1 disabled pp
400 _base 1.0.0 pp
400 alsa 1.7.1 disabled pp
400 apm 1.9.1 pp
400 apt 1.5.2 pp
400 authlogin 2.0.0 pp
...
100 alsa 1.7.1 disabled pp
Signed-off-by: Chad Sellers <csellers@tresys.com>
2009-12-23 23:25:59 +00:00
|
|
|
printf(" full list all modules\n");
|
|
|
|
printf(" -X,--priority=PRIORITY set priority for following operations (1-999)\n");
|
|
|
|
printf(" -e,--enable=MODULE_NAME enable module\n");
|
|
|
|
printf(" -d,--disable=MODULE_NAME disable module\n");
|
policycoreutils/semodule: update semodule to allow extracting modules
Add --extract/-E, --cil/-c, and --hll/-H to extract modules. If -c/-H
are not provided, the module will be output as HLL by default. Only
--cil or --hll (which will use the lang_ext in the semodule store) are valid
options to use with -E. The module is written to the current working directory
as <module_name>.<lang_ext>.
If a module exists as HLL and is exported as CIL, it will first compile into
CIL and cache to the module store. Once compiled, exporting will
continue.
If no priority is provided when extracting a module, then extraction at
the default priority, 400, will be attempted. If the module does not
exist at the default priority, then it will be exported at the highest
existing priority.
Examples:
Extract the wireshark module in a .cil format. If the module only exists
as HLL on the system, the module will be compiled into CIL and placed
into the module store. This command will then write wireshark.cil to the CWD.
semodule --cil --extract wireshark
Extract the wireshark module in HLL format. Since the original HLL file
was a policy package, a wireshark.pp will be written to the CWD.
semodule -E wireshark
Extract the wireshark module as CIL and HLL and extract the puppet
module as CIL at priority 400.
semodule --hll -E wireshark --cil -E wireshark -X 400 --cil -E puppet
Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2015-08-06 14:30:14 +00:00
|
|
|
printf(" -E,--extract=MODULE_NAME extract module\n");
|
2018-03-13 08:12:37 +00:00
|
|
|
printf("Options:\n");
|
2008-08-19 19:30:36 +00:00
|
|
|
printf(" -s,--store name of the store to operate on\n");
|
2012-05-08 20:31:33 +00:00
|
|
|
printf(" -N,-n,--noreload do not reload policy after commit\n");
|
2008-08-19 19:30:36 +00:00
|
|
|
printf(" -h,--help print this message and quit\n");
|
|
|
|
printf(" -v,--verbose be verbose\n");
|
2011-09-01 03:29:46 +00:00
|
|
|
printf(" -P,--preserve_tunables Preserve tunables in policy\n");
|
2014-02-27 16:56:34 +00:00
|
|
|
printf(" -C,--ignore-module-cache Rebuild CIL modules compiled from HLL files\n");
|
2011-10-04 21:05:52 +00:00
|
|
|
printf(" -p,--path use an alternate path for the policy root\n");
|
2014-04-03 20:58:12 +00:00
|
|
|
printf(" -S,--store-path use an alternate path for the policy store root\n");
|
policycoreutils/semodule: update semodule to allow extracting modules
Add --extract/-E, --cil/-c, and --hll/-H to extract modules. If -c/-H
are not provided, the module will be output as HLL by default. Only
--cil or --hll (which will use the lang_ext in the semodule store) are valid
options to use with -E. The module is written to the current working directory
as <module_name>.<lang_ext>.
If a module exists as HLL and is exported as CIL, it will first compile into
CIL and cache to the module store. Once compiled, exporting will
continue.
If no priority is provided when extracting a module, then extraction at
the default priority, 400, will be attempted. If the module does not
exist at the default priority, then it will be exported at the highest
existing priority.
Examples:
Extract the wireshark module in a .cil format. If the module only exists
as HLL on the system, the module will be compiled into CIL and placed
into the module store. This command will then write wireshark.cil to the CWD.
semodule --cil --extract wireshark
Extract the wireshark module in HLL format. Since the original HLL file
was a policy package, a wireshark.pp will be written to the CWD.
semodule -E wireshark
Extract the wireshark module as CIL and HLL and extract the puppet
module as CIL at priority 400.
semodule --hll -E wireshark --cil -E wireshark -X 400 --cil -E puppet
Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2015-08-06 14:30:14 +00:00
|
|
|
printf(" -c, --cil extract module as cil. This only affects module extraction.\n");
|
|
|
|
printf(" -H, --hll extract module as hll. This only affects module extraction.\n");
|
2021-11-16 13:27:11 +00:00
|
|
|
printf(" -m, --checksum print module checksum (SHA256).\n");
|
2008-08-19 19:30:36 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
/* Sets the global mode variable to new_mode, but only if no other
|
|
|
|
* mode has been given. */
|
|
|
|
static void set_mode(enum client_modes new_mode, char *arg)
|
|
|
|
{
|
|
|
|
struct command *c;
|
|
|
|
char *s;
|
|
|
|
if ((c = realloc(commands, sizeof(*c) * (num_commands + 1))) == NULL) {
|
|
|
|
fprintf(stderr, "Out of memory!\n");
|
|
|
|
cleanup();
|
|
|
|
exit(1);
|
|
|
|
}
|
|
|
|
commands = c;
|
|
|
|
commands[num_commands].mode = new_mode;
|
|
|
|
commands[num_commands].arg = NULL;
|
|
|
|
num_commands++;
|
|
|
|
if (arg != NULL) {
|
|
|
|
if ((s = strdup(arg)) == NULL) {
|
|
|
|
fprintf(stderr, "Out of memory!\n");
|
|
|
|
cleanup();
|
|
|
|
exit(1);
|
|
|
|
}
|
|
|
|
commands[num_commands - 1].arg = s;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Parse command line and set global options. */
|
|
|
|
static void parse_command_line(int argc, char **argv)
|
|
|
|
{
|
|
|
|
static struct option opts[] = {
|
|
|
|
{"store", required_argument, NULL, 's'},
|
|
|
|
{"base", required_argument, NULL, 'b'},
|
|
|
|
{"help", 0, NULL, 'h'},
|
|
|
|
{"install", required_argument, NULL, 'i'},
|
policycoreutils/semodule: update semodule to allow extracting modules
Add --extract/-E, --cil/-c, and --hll/-H to extract modules. If -c/-H
are not provided, the module will be output as HLL by default. Only
--cil or --hll (which will use the lang_ext in the semodule store) are valid
options to use with -E. The module is written to the current working directory
as <module_name>.<lang_ext>.
If a module exists as HLL and is exported as CIL, it will first compile into
CIL and cache to the module store. Once compiled, exporting will
continue.
If no priority is provided when extracting a module, then extraction at
the default priority, 400, will be attempted. If the module does not
exist at the default priority, then it will be exported at the highest
existing priority.
Examples:
Extract the wireshark module in a .cil format. If the module only exists
as HLL on the system, the module will be compiled into CIL and placed
into the module store. This command will then write wireshark.cil to the CWD.
semodule --cil --extract wireshark
Extract the wireshark module in HLL format. Since the original HLL file
was a policy package, a wireshark.pp will be written to the CWD.
semodule -E wireshark
Extract the wireshark module as CIL and HLL and extract the puppet
module as CIL at priority 400.
semodule --hll -E wireshark --cil -E wireshark -X 400 --cil -E puppet
Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2015-08-06 14:30:14 +00:00
|
|
|
{"extract", required_argument, NULL, 'E'},
|
|
|
|
{"cil", 0, NULL, 'c'},
|
|
|
|
{"hll", 0, NULL, 'H'},
|
semodule: add priority, enabled, and extended listing
This updates the semodule tool with the ability to set the priority for
commands, to enable/disable modules, and extended module listing options
for displaying extra module information (e.g., priority, enabled status,
and language extension).
[semodule priority]
-X --priority set the priority for following operations
Notes:
* This sets the priority for the following operations.
* It can be used any number of times with its effect continuing until
the next priority is specified.
* The default priority is used if no priority has yet been specified.
Impact on current operations:
* Install module
* Without priority - Install at default priority.
* With priority - Install at specified priority.
* New warning when overriding (issued by libsemanage).
* Upgrade module
* Without priority - Upgrade at default priority (current upgrade
semantics apply).
* With priority - Upgrade at specified priority (current upgrade
semantics apply).
* New warning when overriding (issued by libsemanage).
* Remove module
* Without priority - Remove a module at the default if exists.
* With priority - Remove at that priority.
* New info messages (issued by libsemanage):
* If no modules exist at the given priority but do exist at other
priorities, give an info message listing the modules and priority.
* If a new module at a lower priority will become active print a
message.
* If the last module with this name is being removed print a
message.
* Base
* The name of base module on install is fixed to "_base" (performed by
libsemanage).
* Without priority - Install at default priority.
* With priority - Install at specified priority.
* New warning when overriding (issued by libsemanage).
* List modules
* See listing changes below.
Examples:
semodule -i foo.pp
semodule -X 500 -i foo.pp
[semodule enable/disable]
Add enable/disable status:
-e --enable enable the module (at all priorities)
-d --disable disable the module (at all priorities)
Notes:
* Base modules are always enabled and cannot have their enabled/disabled
status changed.
* New error when disabling a base module (from libsemanage).
* New warning when enabling a base module (from libsemanage).
Impact on current operations:
* Install module
* If a module with that name is already installed, then the enabled
status will remain the same after installing the new module.
* New warning when installing a module which will be disabled by
existing enabled status (from libsemanage).
* Upgrade module
* If a module with that name is already installed, then the enabled
status will remain the same after installing the new module.
* New warning when installing a module which will be disabled by
existing enabled status (from libsemanage).
* Remove module
* When the last module with a given name is removed (no more exist at
other priorities) then the enabled status is forgotten.
* Base
* Base modules are always installed enabled and remain so (can't be
disabled).
* List modules
* See listing changes below.
Examples:
semodule -e foo
semodule -d foo
[semodule list]
-l --list list modules as if by -lstandard
-lstandard --list=standard list name and version of highest priority,
enabled, non-base modules sorted alphabetical
by name
-lfull --list=full list all fields of all modules columnated
sorted high priority to low, within priority
alphabetical by name
Impact on current operations:
* List modules
* Default listing stays the same.
* New long options for 'standard' and 'full'.
Examples:
semodule -l
semodule -lstandard
semodule --list=standard
alsa 1.7.1
apm 1.9.1
apt 1.5.2
authlogin 2.0.0
avahi 1.10.3
bluetooth 3.1.3
...
semodule -lfull
semodule --list=full
600 alsa 1.7.1 disabled pp
400 _base 1.0.0 pp
400 alsa 1.7.1 disabled pp
400 apm 1.9.1 pp
400 apt 1.5.2 pp
400 authlogin 2.0.0 pp
...
100 alsa 1.7.1 disabled pp
Signed-off-by: Chad Sellers <csellers@tresys.com>
2009-12-23 23:25:59 +00:00
|
|
|
{"list-modules", optional_argument, NULL, 'l'},
|
2008-08-19 19:30:36 +00:00
|
|
|
{"verbose", 0, NULL, 'v'},
|
|
|
|
{"remove", required_argument, NULL, 'r'},
|
|
|
|
{"upgrade", required_argument, NULL, 'u'},
|
|
|
|
{"reload", 0, NULL, 'R'},
|
|
|
|
{"noreload", 0, NULL, 'n'},
|
|
|
|
{"build", 0, NULL, 'B'},
|
|
|
|
{"disable_dontaudit", 0, NULL, 'D'},
|
2011-09-01 03:29:46 +00:00
|
|
|
{"preserve_tunables", 0, NULL, 'P'},
|
2014-02-27 16:56:34 +00:00
|
|
|
{"ignore-module-cache", 0, NULL, 'C'},
|
semodule: add priority, enabled, and extended listing
This updates the semodule tool with the ability to set the priority for
commands, to enable/disable modules, and extended module listing options
for displaying extra module information (e.g., priority, enabled status,
and language extension).
[semodule priority]
-X --priority set the priority for following operations
Notes:
* This sets the priority for the following operations.
* It can be used any number of times with its effect continuing until
the next priority is specified.
* The default priority is used if no priority has yet been specified.
Impact on current operations:
* Install module
* Without priority - Install at default priority.
* With priority - Install at specified priority.
* New warning when overriding (issued by libsemanage).
* Upgrade module
* Without priority - Upgrade at default priority (current upgrade
semantics apply).
* With priority - Upgrade at specified priority (current upgrade
semantics apply).
* New warning when overriding (issued by libsemanage).
* Remove module
* Without priority - Remove a module at the default if exists.
* With priority - Remove at that priority.
* New info messages (issued by libsemanage):
* If no modules exist at the given priority but do exist at other
priorities, give an info message listing the modules and priority.
* If a new module at a lower priority will become active print a
message.
* If the last module with this name is being removed print a
message.
* Base
* The name of base module on install is fixed to "_base" (performed by
libsemanage).
* Without priority - Install at default priority.
* With priority - Install at specified priority.
* New warning when overriding (issued by libsemanage).
* List modules
* See listing changes below.
Examples:
semodule -i foo.pp
semodule -X 500 -i foo.pp
[semodule enable/disable]
Add enable/disable status:
-e --enable enable the module (at all priorities)
-d --disable disable the module (at all priorities)
Notes:
* Base modules are always enabled and cannot have their enabled/disabled
status changed.
* New error when disabling a base module (from libsemanage).
* New warning when enabling a base module (from libsemanage).
Impact on current operations:
* Install module
* If a module with that name is already installed, then the enabled
status will remain the same after installing the new module.
* New warning when installing a module which will be disabled by
existing enabled status (from libsemanage).
* Upgrade module
* If a module with that name is already installed, then the enabled
status will remain the same after installing the new module.
* New warning when installing a module which will be disabled by
existing enabled status (from libsemanage).
* Remove module
* When the last module with a given name is removed (no more exist at
other priorities) then the enabled status is forgotten.
* Base
* Base modules are always installed enabled and remain so (can't be
disabled).
* List modules
* See listing changes below.
Examples:
semodule -e foo
semodule -d foo
[semodule list]
-l --list list modules as if by -lstandard
-lstandard --list=standard list name and version of highest priority,
enabled, non-base modules sorted alphabetical
by name
-lfull --list=full list all fields of all modules columnated
sorted high priority to low, within priority
alphabetical by name
Impact on current operations:
* List modules
* Default listing stays the same.
* New long options for 'standard' and 'full'.
Examples:
semodule -l
semodule -lstandard
semodule --list=standard
alsa 1.7.1
apm 1.9.1
apt 1.5.2
authlogin 2.0.0
avahi 1.10.3
bluetooth 3.1.3
...
semodule -lfull
semodule --list=full
600 alsa 1.7.1 disabled pp
400 _base 1.0.0 pp
400 alsa 1.7.1 disabled pp
400 apm 1.9.1 pp
400 apt 1.5.2 pp
400 authlogin 2.0.0 pp
...
100 alsa 1.7.1 disabled pp
Signed-off-by: Chad Sellers <csellers@tresys.com>
2009-12-23 23:25:59 +00:00
|
|
|
{"priority", required_argument, NULL, 'X'},
|
|
|
|
{"enable", required_argument, NULL, 'e'},
|
|
|
|
{"disable", required_argument, NULL, 'd'},
|
2011-11-22 18:42:48 +00:00
|
|
|
{"path", required_argument, NULL, 'p'},
|
2014-04-03 20:58:12 +00:00
|
|
|
{"store-path", required_argument, NULL, 'S'},
|
2021-11-16 13:27:11 +00:00
|
|
|
{"checksum", 0, NULL, 'm'},
|
2008-08-19 19:30:36 +00:00
|
|
|
{NULL, 0, NULL, 0}
|
|
|
|
};
|
policycoreutils/semodule: update semodule to allow extracting modules
Add --extract/-E, --cil/-c, and --hll/-H to extract modules. If -c/-H
are not provided, the module will be output as HLL by default. Only
--cil or --hll (which will use the lang_ext in the semodule store) are valid
options to use with -E. The module is written to the current working directory
as <module_name>.<lang_ext>.
If a module exists as HLL and is exported as CIL, it will first compile into
CIL and cache to the module store. Once compiled, exporting will
continue.
If no priority is provided when extracting a module, then extraction at
the default priority, 400, will be attempted. If the module does not
exist at the default priority, then it will be exported at the highest
existing priority.
Examples:
Extract the wireshark module in a .cil format. If the module only exists
as HLL on the system, the module will be compiled into CIL and placed
into the module store. This command will then write wireshark.cil to the CWD.
semodule --cil --extract wireshark
Extract the wireshark module in HLL format. Since the original HLL file
was a policy package, a wireshark.pp will be written to the CWD.
semodule -E wireshark
Extract the wireshark module as CIL and HLL and extract the puppet
module as CIL at priority 400.
semodule --hll -E wireshark --cil -E wireshark -X 400 --cil -E puppet
Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2015-08-06 14:30:14 +00:00
|
|
|
int extract_selected = 0;
|
|
|
|
int cil_hll_set = 0;
|
2008-08-19 19:30:36 +00:00
|
|
|
int i;
|
|
|
|
verbose = 0;
|
|
|
|
reload = 0;
|
|
|
|
no_reload = 0;
|
semodule: add priority, enabled, and extended listing
This updates the semodule tool with the ability to set the priority for
commands, to enable/disable modules, and extended module listing options
for displaying extra module information (e.g., priority, enabled status,
and language extension).
[semodule priority]
-X --priority set the priority for following operations
Notes:
* This sets the priority for the following operations.
* It can be used any number of times with its effect continuing until
the next priority is specified.
* The default priority is used if no priority has yet been specified.
Impact on current operations:
* Install module
* Without priority - Install at default priority.
* With priority - Install at specified priority.
* New warning when overriding (issued by libsemanage).
* Upgrade module
* Without priority - Upgrade at default priority (current upgrade
semantics apply).
* With priority - Upgrade at specified priority (current upgrade
semantics apply).
* New warning when overriding (issued by libsemanage).
* Remove module
* Without priority - Remove a module at the default if exists.
* With priority - Remove at that priority.
* New info messages (issued by libsemanage):
* If no modules exist at the given priority but do exist at other
priorities, give an info message listing the modules and priority.
* If a new module at a lower priority will become active print a
message.
* If the last module with this name is being removed print a
message.
* Base
* The name of base module on install is fixed to "_base" (performed by
libsemanage).
* Without priority - Install at default priority.
* With priority - Install at specified priority.
* New warning when overriding (issued by libsemanage).
* List modules
* See listing changes below.
Examples:
semodule -i foo.pp
semodule -X 500 -i foo.pp
[semodule enable/disable]
Add enable/disable status:
-e --enable enable the module (at all priorities)
-d --disable disable the module (at all priorities)
Notes:
* Base modules are always enabled and cannot have their enabled/disabled
status changed.
* New error when disabling a base module (from libsemanage).
* New warning when enabling a base module (from libsemanage).
Impact on current operations:
* Install module
* If a module with that name is already installed, then the enabled
status will remain the same after installing the new module.
* New warning when installing a module which will be disabled by
existing enabled status (from libsemanage).
* Upgrade module
* If a module with that name is already installed, then the enabled
status will remain the same after installing the new module.
* New warning when installing a module which will be disabled by
existing enabled status (from libsemanage).
* Remove module
* When the last module with a given name is removed (no more exist at
other priorities) then the enabled status is forgotten.
* Base
* Base modules are always installed enabled and remain so (can't be
disabled).
* List modules
* See listing changes below.
Examples:
semodule -e foo
semodule -d foo
[semodule list]
-l --list list modules as if by -lstandard
-lstandard --list=standard list name and version of highest priority,
enabled, non-base modules sorted alphabetical
by name
-lfull --list=full list all fields of all modules columnated
sorted high priority to low, within priority
alphabetical by name
Impact on current operations:
* List modules
* Default listing stays the same.
* New long options for 'standard' and 'full'.
Examples:
semodule -l
semodule -lstandard
semodule --list=standard
alsa 1.7.1
apm 1.9.1
apt 1.5.2
authlogin 2.0.0
avahi 1.10.3
bluetooth 3.1.3
...
semodule -lfull
semodule --list=full
600 alsa 1.7.1 disabled pp
400 _base 1.0.0 pp
400 alsa 1.7.1 disabled pp
400 apm 1.9.1 pp
400 apt 1.5.2 pp
400 authlogin 2.0.0 pp
...
100 alsa 1.7.1 disabled pp
Signed-off-by: Chad Sellers <csellers@tresys.com>
2009-12-23 23:25:59 +00:00
|
|
|
priority = 400;
|
2008-08-19 19:30:36 +00:00
|
|
|
while ((i =
|
2021-11-16 13:27:11 +00:00
|
|
|
getopt_long(argc, argv, "s:b:hi:l::vr:u:RnNBDCPX:e:d:p:S:E:cHm", opts,
|
2008-08-19 19:30:36 +00:00
|
|
|
NULL)) != -1) {
|
|
|
|
switch (i) {
|
|
|
|
case 'b':
|
2014-05-16 20:49:00 +00:00
|
|
|
fprintf(stderr, "The --base option is deprecated. Use --install instead.\n");
|
|
|
|
set_mode(INSTALL_M, optarg);
|
2008-08-19 19:30:36 +00:00
|
|
|
break;
|
|
|
|
case 'h':
|
|
|
|
usage(argv[0]);
|
|
|
|
exit(0);
|
|
|
|
case 'i':
|
|
|
|
set_mode(INSTALL_M, optarg);
|
|
|
|
break;
|
policycoreutils/semodule: update semodule to allow extracting modules
Add --extract/-E, --cil/-c, and --hll/-H to extract modules. If -c/-H
are not provided, the module will be output as HLL by default. Only
--cil or --hll (which will use the lang_ext in the semodule store) are valid
options to use with -E. The module is written to the current working directory
as <module_name>.<lang_ext>.
If a module exists as HLL and is exported as CIL, it will first compile into
CIL and cache to the module store. Once compiled, exporting will
continue.
If no priority is provided when extracting a module, then extraction at
the default priority, 400, will be attempted. If the module does not
exist at the default priority, then it will be exported at the highest
existing priority.
Examples:
Extract the wireshark module in a .cil format. If the module only exists
as HLL on the system, the module will be compiled into CIL and placed
into the module store. This command will then write wireshark.cil to the CWD.
semodule --cil --extract wireshark
Extract the wireshark module in HLL format. Since the original HLL file
was a policy package, a wireshark.pp will be written to the CWD.
semodule -E wireshark
Extract the wireshark module as CIL and HLL and extract the puppet
module as CIL at priority 400.
semodule --hll -E wireshark --cil -E wireshark -X 400 --cil -E puppet
Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2015-08-06 14:30:14 +00:00
|
|
|
case 'E':
|
|
|
|
set_mode(EXTRACT_M, optarg);
|
|
|
|
extract_selected = 1;
|
|
|
|
break;
|
|
|
|
case 'c':
|
|
|
|
set_mode(CIL_M, NULL);
|
|
|
|
cil_hll_set = 1;
|
|
|
|
break;
|
|
|
|
case 'H':
|
|
|
|
set_mode(HLL_M, NULL);
|
|
|
|
cil_hll_set = 1;
|
|
|
|
break;
|
2008-08-19 19:30:36 +00:00
|
|
|
case 'l':
|
semodule: add priority, enabled, and extended listing
This updates the semodule tool with the ability to set the priority for
commands, to enable/disable modules, and extended module listing options
for displaying extra module information (e.g., priority, enabled status,
and language extension).
[semodule priority]
-X --priority set the priority for following operations
Notes:
* This sets the priority for the following operations.
* It can be used any number of times with its effect continuing until
the next priority is specified.
* The default priority is used if no priority has yet been specified.
Impact on current operations:
* Install module
* Without priority - Install at default priority.
* With priority - Install at specified priority.
* New warning when overriding (issued by libsemanage).
* Upgrade module
* Without priority - Upgrade at default priority (current upgrade
semantics apply).
* With priority - Upgrade at specified priority (current upgrade
semantics apply).
* New warning when overriding (issued by libsemanage).
* Remove module
* Without priority - Remove a module at the default if exists.
* With priority - Remove at that priority.
* New info messages (issued by libsemanage):
* If no modules exist at the given priority but do exist at other
priorities, give an info message listing the modules and priority.
* If a new module at a lower priority will become active print a
message.
* If the last module with this name is being removed print a
message.
* Base
* The name of base module on install is fixed to "_base" (performed by
libsemanage).
* Without priority - Install at default priority.
* With priority - Install at specified priority.
* New warning when overriding (issued by libsemanage).
* List modules
* See listing changes below.
Examples:
semodule -i foo.pp
semodule -X 500 -i foo.pp
[semodule enable/disable]
Add enable/disable status:
-e --enable enable the module (at all priorities)
-d --disable disable the module (at all priorities)
Notes:
* Base modules are always enabled and cannot have their enabled/disabled
status changed.
* New error when disabling a base module (from libsemanage).
* New warning when enabling a base module (from libsemanage).
Impact on current operations:
* Install module
* If a module with that name is already installed, then the enabled
status will remain the same after installing the new module.
* New warning when installing a module which will be disabled by
existing enabled status (from libsemanage).
* Upgrade module
* If a module with that name is already installed, then the enabled
status will remain the same after installing the new module.
* New warning when installing a module which will be disabled by
existing enabled status (from libsemanage).
* Remove module
* When the last module with a given name is removed (no more exist at
other priorities) then the enabled status is forgotten.
* Base
* Base modules are always installed enabled and remain so (can't be
disabled).
* List modules
* See listing changes below.
Examples:
semodule -e foo
semodule -d foo
[semodule list]
-l --list list modules as if by -lstandard
-lstandard --list=standard list name and version of highest priority,
enabled, non-base modules sorted alphabetical
by name
-lfull --list=full list all fields of all modules columnated
sorted high priority to low, within priority
alphabetical by name
Impact on current operations:
* List modules
* Default listing stays the same.
* New long options for 'standard' and 'full'.
Examples:
semodule -l
semodule -lstandard
semodule --list=standard
alsa 1.7.1
apm 1.9.1
apt 1.5.2
authlogin 2.0.0
avahi 1.10.3
bluetooth 3.1.3
...
semodule -lfull
semodule --list=full
600 alsa 1.7.1 disabled pp
400 _base 1.0.0 pp
400 alsa 1.7.1 disabled pp
400 apm 1.9.1 pp
400 apt 1.5.2 pp
400 authlogin 2.0.0 pp
...
100 alsa 1.7.1 disabled pp
Signed-off-by: Chad Sellers <csellers@tresys.com>
2009-12-23 23:25:59 +00:00
|
|
|
set_mode(LIST_M, optarg);
|
2008-08-19 19:30:36 +00:00
|
|
|
break;
|
|
|
|
case 'v':
|
2019-10-21 05:55:05 +00:00
|
|
|
verbose++;
|
2008-08-19 19:30:36 +00:00
|
|
|
break;
|
|
|
|
case 'r':
|
|
|
|
set_mode(REMOVE_M, optarg);
|
|
|
|
break;
|
|
|
|
case 'u':
|
2014-05-16 20:49:00 +00:00
|
|
|
fprintf(stderr, "The --upgrade option is deprecated. Use --install instead.\n");
|
|
|
|
set_mode(INSTALL_M, optarg);
|
2008-08-19 19:30:36 +00:00
|
|
|
break;
|
|
|
|
case 's':
|
|
|
|
set_store(optarg);
|
|
|
|
break;
|
2011-11-22 18:42:48 +00:00
|
|
|
case 'p':
|
|
|
|
semanage_set_root(optarg);
|
|
|
|
break;
|
2014-04-03 20:58:12 +00:00
|
|
|
case 'S':
|
|
|
|
set_store_root(optarg);
|
|
|
|
break;
|
2008-08-19 19:30:36 +00:00
|
|
|
case 'R':
|
|
|
|
reload = 1;
|
|
|
|
break;
|
|
|
|
case 'n':
|
|
|
|
no_reload = 1;
|
|
|
|
break;
|
2012-05-08 20:31:33 +00:00
|
|
|
case 'N':
|
|
|
|
no_reload = 1;
|
|
|
|
break;
|
2008-08-19 19:30:36 +00:00
|
|
|
case 'B':
|
|
|
|
build = 1;
|
|
|
|
break;
|
|
|
|
case 'D':
|
|
|
|
disable_dontaudit = 1;
|
|
|
|
break;
|
2011-09-01 03:29:46 +00:00
|
|
|
case 'P':
|
|
|
|
preserve_tunables = 1;
|
|
|
|
break;
|
2014-02-27 16:56:34 +00:00
|
|
|
case 'C':
|
|
|
|
ignore_module_cache = 1;
|
|
|
|
break;
|
semodule: add priority, enabled, and extended listing
This updates the semodule tool with the ability to set the priority for
commands, to enable/disable modules, and extended module listing options
for displaying extra module information (e.g., priority, enabled status,
and language extension).
[semodule priority]
-X --priority set the priority for following operations
Notes:
* This sets the priority for the following operations.
* It can be used any number of times with its effect continuing until
the next priority is specified.
* The default priority is used if no priority has yet been specified.
Impact on current operations:
* Install module
* Without priority - Install at default priority.
* With priority - Install at specified priority.
* New warning when overriding (issued by libsemanage).
* Upgrade module
* Without priority - Upgrade at default priority (current upgrade
semantics apply).
* With priority - Upgrade at specified priority (current upgrade
semantics apply).
* New warning when overriding (issued by libsemanage).
* Remove module
* Without priority - Remove a module at the default if exists.
* With priority - Remove at that priority.
* New info messages (issued by libsemanage):
* If no modules exist at the given priority but do exist at other
priorities, give an info message listing the modules and priority.
* If a new module at a lower priority will become active print a
message.
* If the last module with this name is being removed print a
message.
* Base
* The name of base module on install is fixed to "_base" (performed by
libsemanage).
* Without priority - Install at default priority.
* With priority - Install at specified priority.
* New warning when overriding (issued by libsemanage).
* List modules
* See listing changes below.
Examples:
semodule -i foo.pp
semodule -X 500 -i foo.pp
[semodule enable/disable]
Add enable/disable status:
-e --enable enable the module (at all priorities)
-d --disable disable the module (at all priorities)
Notes:
* Base modules are always enabled and cannot have their enabled/disabled
status changed.
* New error when disabling a base module (from libsemanage).
* New warning when enabling a base module (from libsemanage).
Impact on current operations:
* Install module
* If a module with that name is already installed, then the enabled
status will remain the same after installing the new module.
* New warning when installing a module which will be disabled by
existing enabled status (from libsemanage).
* Upgrade module
* If a module with that name is already installed, then the enabled
status will remain the same after installing the new module.
* New warning when installing a module which will be disabled by
existing enabled status (from libsemanage).
* Remove module
* When the last module with a given name is removed (no more exist at
other priorities) then the enabled status is forgotten.
* Base
* Base modules are always installed enabled and remain so (can't be
disabled).
* List modules
* See listing changes below.
Examples:
semodule -e foo
semodule -d foo
[semodule list]
-l --list list modules as if by -lstandard
-lstandard --list=standard list name and version of highest priority,
enabled, non-base modules sorted alphabetical
by name
-lfull --list=full list all fields of all modules columnated
sorted high priority to low, within priority
alphabetical by name
Impact on current operations:
* List modules
* Default listing stays the same.
* New long options for 'standard' and 'full'.
Examples:
semodule -l
semodule -lstandard
semodule --list=standard
alsa 1.7.1
apm 1.9.1
apt 1.5.2
authlogin 2.0.0
avahi 1.10.3
bluetooth 3.1.3
...
semodule -lfull
semodule --list=full
600 alsa 1.7.1 disabled pp
400 _base 1.0.0 pp
400 alsa 1.7.1 disabled pp
400 apm 1.9.1 pp
400 apt 1.5.2 pp
400 authlogin 2.0.0 pp
...
100 alsa 1.7.1 disabled pp
Signed-off-by: Chad Sellers <csellers@tresys.com>
2009-12-23 23:25:59 +00:00
|
|
|
case 'X':
|
|
|
|
set_mode(PRIORITY_M, optarg);
|
|
|
|
break;
|
|
|
|
case 'e':
|
|
|
|
set_mode(ENABLE_M, optarg);
|
|
|
|
break;
|
|
|
|
case 'd':
|
|
|
|
set_mode(DISABLE_M, optarg);
|
|
|
|
break;
|
2021-11-16 13:27:11 +00:00
|
|
|
case 'm':
|
|
|
|
checksum = 1;
|
|
|
|
break;
|
2008-08-19 19:30:36 +00:00
|
|
|
case '?':
|
|
|
|
default:{
|
|
|
|
usage(argv[0]);
|
|
|
|
exit(1);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if ((build || reload) && num_commands) {
|
|
|
|
fprintf(stderr,
|
|
|
|
"build or reload should not be used with other commands\n");
|
|
|
|
usage(argv[0]);
|
|
|
|
exit(1);
|
|
|
|
}
|
|
|
|
if (num_commands == 0 && reload == 0 && build == 0) {
|
|
|
|
fprintf(stderr, "At least one mode must be specified.\n");
|
|
|
|
usage(argv[0]);
|
|
|
|
exit(1);
|
|
|
|
}
|
policycoreutils/semodule: update semodule to allow extracting modules
Add --extract/-E, --cil/-c, and --hll/-H to extract modules. If -c/-H
are not provided, the module will be output as HLL by default. Only
--cil or --hll (which will use the lang_ext in the semodule store) are valid
options to use with -E. The module is written to the current working directory
as <module_name>.<lang_ext>.
If a module exists as HLL and is exported as CIL, it will first compile into
CIL and cache to the module store. Once compiled, exporting will
continue.
If no priority is provided when extracting a module, then extraction at
the default priority, 400, will be attempted. If the module does not
exist at the default priority, then it will be exported at the highest
existing priority.
Examples:
Extract the wireshark module in a .cil format. If the module only exists
as HLL on the system, the module will be compiled into CIL and placed
into the module store. This command will then write wireshark.cil to the CWD.
semodule --cil --extract wireshark
Extract the wireshark module in HLL format. Since the original HLL file
was a policy package, a wireshark.pp will be written to the CWD.
semodule -E wireshark
Extract the wireshark module as CIL and HLL and extract the puppet
module as CIL at priority 400.
semodule --hll -E wireshark --cil -E wireshark -X 400 --cil -E puppet
Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2015-08-06 14:30:14 +00:00
|
|
|
if (extract_selected == 0 && cil_hll_set == 1) {
|
|
|
|
fprintf(stderr, "--cil and --hll require a module to export with the --extract option.\n");
|
|
|
|
usage(argv[0]);
|
|
|
|
exit(1);
|
|
|
|
}
|
2008-08-19 19:30:36 +00:00
|
|
|
|
|
|
|
if (optind < argc) {
|
2018-03-19 11:08:12 +00:00
|
|
|
int mode = commands ? (int) commands[num_commands - 1].mode : -1;
|
policycoreutils/semodule: update semodule to allow extracting modules
Add --extract/-E, --cil/-c, and --hll/-H to extract modules. If -c/-H
are not provided, the module will be output as HLL by default. Only
--cil or --hll (which will use the lang_ext in the semodule store) are valid
options to use with -E. The module is written to the current working directory
as <module_name>.<lang_ext>.
If a module exists as HLL and is exported as CIL, it will first compile into
CIL and cache to the module store. Once compiled, exporting will
continue.
If no priority is provided when extracting a module, then extraction at
the default priority, 400, will be attempted. If the module does not
exist at the default priority, then it will be exported at the highest
existing priority.
Examples:
Extract the wireshark module in a .cil format. If the module only exists
as HLL on the system, the module will be compiled into CIL and placed
into the module store. This command will then write wireshark.cil to the CWD.
semodule --cil --extract wireshark
Extract the wireshark module in HLL format. Since the original HLL file
was a policy package, a wireshark.pp will be written to the CWD.
semodule -E wireshark
Extract the wireshark module as CIL and HLL and extract the puppet
module as CIL at priority 400.
semodule --hll -E wireshark --cil -E wireshark -X 400 --cil -E puppet
Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2015-08-06 14:30:14 +00:00
|
|
|
/* if -i/u/r/E was the last command treat any remaining
|
2008-08-19 19:30:36 +00:00
|
|
|
* arguments as args. Will allow 'semodule -i *.pp' to
|
|
|
|
* work as expected.
|
|
|
|
*/
|
|
|
|
|
2018-03-19 11:08:12 +00:00
|
|
|
switch (mode) {
|
|
|
|
case INSTALL_M:
|
|
|
|
case REMOVE_M:
|
|
|
|
case EXTRACT_M:
|
|
|
|
case ENABLE_M:
|
|
|
|
case DISABLE_M:
|
|
|
|
while (optind < argc)
|
|
|
|
set_mode(mode, argv[optind++]);
|
|
|
|
break;
|
|
|
|
default:
|
|
|
|
fprintf(stderr, "unknown additional arguments:\n");
|
|
|
|
while (optind < argc)
|
|
|
|
fprintf(stderr, " %s", argv[optind++]);
|
|
|
|
fprintf(stderr, "\n\n");
|
|
|
|
usage(argv[0]);
|
|
|
|
exit(1);
|
2008-08-19 19:30:36 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2021-11-16 13:27:11 +00:00
|
|
|
/* Get module checksum */
|
|
|
|
static char *hash_module_data(const char *module_name, const int prio) {
|
|
|
|
semanage_module_info_t *extract_info = NULL;
|
|
|
|
semanage_module_key_t *modkey = NULL;
|
|
|
|
Sha256Context context;
|
|
|
|
uint8_t sha256_hash[SHA256_HASH_SIZE];
|
|
|
|
char *sha256_buf = NULL;
|
|
|
|
void *data;
|
|
|
|
size_t data_len = 0, i;
|
|
|
|
int result;
|
|
|
|
|
|
|
|
result = semanage_module_key_create(sh, &modkey);
|
|
|
|
if (result != 0) {
|
|
|
|
goto cleanup_extract;
|
|
|
|
}
|
|
|
|
|
|
|
|
result = semanage_module_key_set_name(sh, modkey, module_name);
|
|
|
|
if (result != 0) {
|
|
|
|
goto cleanup_extract;
|
|
|
|
}
|
|
|
|
|
|
|
|
result = semanage_module_key_set_priority(sh, modkey, prio);
|
|
|
|
if (result != 0) {
|
|
|
|
goto cleanup_extract;
|
|
|
|
}
|
|
|
|
|
|
|
|
result = semanage_module_extract(sh, modkey, 1, &data, &data_len,
|
|
|
|
&extract_info);
|
|
|
|
if (result != 0) {
|
|
|
|
goto cleanup_extract;
|
|
|
|
}
|
|
|
|
|
|
|
|
Sha256Initialise(&context);
|
|
|
|
Sha256Update(&context, data, data_len);
|
|
|
|
|
|
|
|
Sha256Finalise(&context, (SHA256_HASH *)sha256_hash);
|
|
|
|
|
|
|
|
sha256_buf = calloc(1, SHA256_HASH_SIZE * 2 + 1);
|
|
|
|
|
|
|
|
if (sha256_buf == NULL)
|
|
|
|
goto cleanup_extract;
|
|
|
|
|
|
|
|
for (i = 0; i < SHA256_HASH_SIZE; i++) {
|
|
|
|
sprintf((&sha256_buf[i * 2]), "%02x", sha256_hash[i]);
|
|
|
|
}
|
|
|
|
sha256_buf[i * 2] = 0;
|
|
|
|
|
|
|
|
cleanup_extract:
|
2021-11-23 16:38:51 +00:00
|
|
|
if (data_len > 0) {
|
|
|
|
munmap(data, data_len);
|
|
|
|
}
|
2021-11-16 13:27:11 +00:00
|
|
|
semanage_module_info_destroy(sh, extract_info);
|
|
|
|
free(extract_info);
|
|
|
|
semanage_module_key_destroy(sh, modkey);
|
|
|
|
free(modkey);
|
|
|
|
return sha256_buf;
|
|
|
|
}
|
|
|
|
|
2008-08-19 19:30:36 +00:00
|
|
|
int main(int argc, char *argv[])
|
|
|
|
{
|
|
|
|
int i, commit = 0;
|
|
|
|
int result;
|
|
|
|
int status = EXIT_FAILURE;
|
2017-02-06 16:06:42 +00:00
|
|
|
const char *genhomedirconargv[] = { "genhomedircon", "-B", "-n" };
|
2008-08-19 19:30:36 +00:00
|
|
|
create_signal_handlers();
|
2013-10-09 21:54:02 +00:00
|
|
|
if (strcmp(basename(argv[0]), "genhomedircon") == 0) {
|
|
|
|
argc = 3;
|
2017-02-06 16:06:42 +00:00
|
|
|
argv = (char **)genhomedirconargv;
|
2013-10-09 21:54:02 +00:00
|
|
|
}
|
2008-08-19 19:30:36 +00:00
|
|
|
parse_command_line(argc, argv);
|
|
|
|
|
2019-10-21 05:55:05 +00:00
|
|
|
cil_set_log_level(CIL_ERR + verbose);
|
|
|
|
|
2008-08-19 19:30:36 +00:00
|
|
|
if (build)
|
|
|
|
commit = 1;
|
|
|
|
|
|
|
|
sh = semanage_handle_create();
|
|
|
|
if (!sh) {
|
|
|
|
fprintf(stderr, "%s: Could not create semanage handle\n",
|
|
|
|
argv[0]);
|
|
|
|
goto cleanup_nohandle;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (store) {
|
|
|
|
/* Set the store we want to connect to, before connecting.
|
|
|
|
* this will always set a direct connection now, an additional
|
|
|
|
* option will need to be used later to specify a policy server
|
|
|
|
* location */
|
|
|
|
semanage_select_store(sh, store, SEMANAGE_CON_DIRECT);
|
|
|
|
}
|
|
|
|
|
2014-04-03 20:58:12 +00:00
|
|
|
if (store_root) {
|
|
|
|
semanage_set_store_root(sh, store_root);
|
|
|
|
}
|
|
|
|
|
2014-05-16 20:49:00 +00:00
|
|
|
/* create store if necessary, for bootstrapping */
|
|
|
|
semanage_set_create_store(sh, 1);
|
2008-08-19 19:30:36 +00:00
|
|
|
|
|
|
|
if ((result = semanage_connect(sh)) < 0) {
|
|
|
|
fprintf(stderr, "%s: Could not connect to policy handler\n",
|
|
|
|
argv[0]);
|
|
|
|
goto cleanup;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (reload) {
|
|
|
|
if ((result = semanage_reload_policy(sh)) < 0) {
|
|
|
|
fprintf(stderr, "%s: Could not reload policy\n",
|
|
|
|
argv[0]);
|
|
|
|
goto cleanup;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if (build) {
|
|
|
|
if ((result = semanage_begin_transaction(sh)) < 0) {
|
|
|
|
fprintf(stderr, "%s: Could not begin transaction: %s\n",
|
|
|
|
argv[0], errno ? strerror(errno) : "");
|
|
|
|
goto cleanup;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
semodule: add priority, enabled, and extended listing
This updates the semodule tool with the ability to set the priority for
commands, to enable/disable modules, and extended module listing options
for displaying extra module information (e.g., priority, enabled status,
and language extension).
[semodule priority]
-X --priority set the priority for following operations
Notes:
* This sets the priority for the following operations.
* It can be used any number of times with its effect continuing until
the next priority is specified.
* The default priority is used if no priority has yet been specified.
Impact on current operations:
* Install module
* Without priority - Install at default priority.
* With priority - Install at specified priority.
* New warning when overriding (issued by libsemanage).
* Upgrade module
* Without priority - Upgrade at default priority (current upgrade
semantics apply).
* With priority - Upgrade at specified priority (current upgrade
semantics apply).
* New warning when overriding (issued by libsemanage).
* Remove module
* Without priority - Remove a module at the default if exists.
* With priority - Remove at that priority.
* New info messages (issued by libsemanage):
* If no modules exist at the given priority but do exist at other
priorities, give an info message listing the modules and priority.
* If a new module at a lower priority will become active print a
message.
* If the last module with this name is being removed print a
message.
* Base
* The name of base module on install is fixed to "_base" (performed by
libsemanage).
* Without priority - Install at default priority.
* With priority - Install at specified priority.
* New warning when overriding (issued by libsemanage).
* List modules
* See listing changes below.
Examples:
semodule -i foo.pp
semodule -X 500 -i foo.pp
[semodule enable/disable]
Add enable/disable status:
-e --enable enable the module (at all priorities)
-d --disable disable the module (at all priorities)
Notes:
* Base modules are always enabled and cannot have their enabled/disabled
status changed.
* New error when disabling a base module (from libsemanage).
* New warning when enabling a base module (from libsemanage).
Impact on current operations:
* Install module
* If a module with that name is already installed, then the enabled
status will remain the same after installing the new module.
* New warning when installing a module which will be disabled by
existing enabled status (from libsemanage).
* Upgrade module
* If a module with that name is already installed, then the enabled
status will remain the same after installing the new module.
* New warning when installing a module which will be disabled by
existing enabled status (from libsemanage).
* Remove module
* When the last module with a given name is removed (no more exist at
other priorities) then the enabled status is forgotten.
* Base
* Base modules are always installed enabled and remain so (can't be
disabled).
* List modules
* See listing changes below.
Examples:
semodule -e foo
semodule -d foo
[semodule list]
-l --list list modules as if by -lstandard
-lstandard --list=standard list name and version of highest priority,
enabled, non-base modules sorted alphabetical
by name
-lfull --list=full list all fields of all modules columnated
sorted high priority to low, within priority
alphabetical by name
Impact on current operations:
* List modules
* Default listing stays the same.
* New long options for 'standard' and 'full'.
Examples:
semodule -l
semodule -lstandard
semodule --list=standard
alsa 1.7.1
apm 1.9.1
apt 1.5.2
authlogin 2.0.0
avahi 1.10.3
bluetooth 3.1.3
...
semodule -lfull
semodule --list=full
600 alsa 1.7.1 disabled pp
400 _base 1.0.0 pp
400 alsa 1.7.1 disabled pp
400 apm 1.9.1 pp
400 apt 1.5.2 pp
400 authlogin 2.0.0 pp
...
100 alsa 1.7.1 disabled pp
Signed-off-by: Chad Sellers <csellers@tresys.com>
2009-12-23 23:25:59 +00:00
|
|
|
if ((result = semanage_set_default_priority(sh, priority)) != 0) {
|
|
|
|
fprintf(stderr,
|
|
|
|
"%s: Invalid priority %d (needs to be between 1 and 999)\n",
|
|
|
|
argv[0],
|
|
|
|
priority);
|
|
|
|
goto cleanup;
|
|
|
|
}
|
|
|
|
|
2008-08-19 19:30:36 +00:00
|
|
|
for (i = 0; i < num_commands; i++) {
|
|
|
|
enum client_modes mode = commands[i].mode;
|
|
|
|
char *mode_arg = commands[i].arg;
|
semodule: add priority, enabled, and extended listing
This updates the semodule tool with the ability to set the priority for
commands, to enable/disable modules, and extended module listing options
for displaying extra module information (e.g., priority, enabled status,
and language extension).
[semodule priority]
-X --priority set the priority for following operations
Notes:
* This sets the priority for the following operations.
* It can be used any number of times with its effect continuing until
the next priority is specified.
* The default priority is used if no priority has yet been specified.
Impact on current operations:
* Install module
* Without priority - Install at default priority.
* With priority - Install at specified priority.
* New warning when overriding (issued by libsemanage).
* Upgrade module
* Without priority - Upgrade at default priority (current upgrade
semantics apply).
* With priority - Upgrade at specified priority (current upgrade
semantics apply).
* New warning when overriding (issued by libsemanage).
* Remove module
* Without priority - Remove a module at the default if exists.
* With priority - Remove at that priority.
* New info messages (issued by libsemanage):
* If no modules exist at the given priority but do exist at other
priorities, give an info message listing the modules and priority.
* If a new module at a lower priority will become active print a
message.
* If the last module with this name is being removed print a
message.
* Base
* The name of base module on install is fixed to "_base" (performed by
libsemanage).
* Without priority - Install at default priority.
* With priority - Install at specified priority.
* New warning when overriding (issued by libsemanage).
* List modules
* See listing changes below.
Examples:
semodule -i foo.pp
semodule -X 500 -i foo.pp
[semodule enable/disable]
Add enable/disable status:
-e --enable enable the module (at all priorities)
-d --disable disable the module (at all priorities)
Notes:
* Base modules are always enabled and cannot have their enabled/disabled
status changed.
* New error when disabling a base module (from libsemanage).
* New warning when enabling a base module (from libsemanage).
Impact on current operations:
* Install module
* If a module with that name is already installed, then the enabled
status will remain the same after installing the new module.
* New warning when installing a module which will be disabled by
existing enabled status (from libsemanage).
* Upgrade module
* If a module with that name is already installed, then the enabled
status will remain the same after installing the new module.
* New warning when installing a module which will be disabled by
existing enabled status (from libsemanage).
* Remove module
* When the last module with a given name is removed (no more exist at
other priorities) then the enabled status is forgotten.
* Base
* Base modules are always installed enabled and remain so (can't be
disabled).
* List modules
* See listing changes below.
Examples:
semodule -e foo
semodule -d foo
[semodule list]
-l --list list modules as if by -lstandard
-lstandard --list=standard list name and version of highest priority,
enabled, non-base modules sorted alphabetical
by name
-lfull --list=full list all fields of all modules columnated
sorted high priority to low, within priority
alphabetical by name
Impact on current operations:
* List modules
* Default listing stays the same.
* New long options for 'standard' and 'full'.
Examples:
semodule -l
semodule -lstandard
semodule --list=standard
alsa 1.7.1
apm 1.9.1
apt 1.5.2
authlogin 2.0.0
avahi 1.10.3
bluetooth 3.1.3
...
semodule -lfull
semodule --list=full
600 alsa 1.7.1 disabled pp
400 _base 1.0.0 pp
400 alsa 1.7.1 disabled pp
400 apm 1.9.1 pp
400 apt 1.5.2 pp
400 authlogin 2.0.0 pp
...
100 alsa 1.7.1 disabled pp
Signed-off-by: Chad Sellers <csellers@tresys.com>
2009-12-23 23:25:59 +00:00
|
|
|
|
2008-08-19 19:30:36 +00:00
|
|
|
switch (mode) {
|
|
|
|
case INSTALL_M:{
|
|
|
|
if (verbose) {
|
|
|
|
printf
|
|
|
|
("Attempting to install module '%s':\n",
|
|
|
|
mode_arg);
|
|
|
|
}
|
|
|
|
result =
|
2009-01-05 12:02:25 +00:00
|
|
|
semanage_module_install_file(sh, mode_arg);
|
2008-08-19 19:30:36 +00:00
|
|
|
break;
|
|
|
|
}
|
policycoreutils/semodule: update semodule to allow extracting modules
Add --extract/-E, --cil/-c, and --hll/-H to extract modules. If -c/-H
are not provided, the module will be output as HLL by default. Only
--cil or --hll (which will use the lang_ext in the semodule store) are valid
options to use with -E. The module is written to the current working directory
as <module_name>.<lang_ext>.
If a module exists as HLL and is exported as CIL, it will first compile into
CIL and cache to the module store. Once compiled, exporting will
continue.
If no priority is provided when extracting a module, then extraction at
the default priority, 400, will be attempted. If the module does not
exist at the default priority, then it will be exported at the highest
existing priority.
Examples:
Extract the wireshark module in a .cil format. If the module only exists
as HLL on the system, the module will be compiled into CIL and placed
into the module store. This command will then write wireshark.cil to the CWD.
semodule --cil --extract wireshark
Extract the wireshark module in HLL format. Since the original HLL file
was a policy package, a wireshark.pp will be written to the CWD.
semodule -E wireshark
Extract the wireshark module as CIL and HLL and extract the puppet
module as CIL at priority 400.
semodule --hll -E wireshark --cil -E wireshark -X 400 --cil -E puppet
Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2015-08-06 14:30:14 +00:00
|
|
|
case EXTRACT_M:{
|
|
|
|
semanage_module_info_t *extract_info = NULL;
|
|
|
|
semanage_module_key_t *modkey = NULL;
|
|
|
|
uint16_t curr_priority;
|
|
|
|
void *data = NULL;
|
|
|
|
size_t data_len = 0;
|
|
|
|
char output_path[PATH_MAX];
|
|
|
|
const char *output_name = NULL;
|
|
|
|
const char *lang_ext = NULL;
|
|
|
|
int rlen;
|
|
|
|
FILE *output_fd = NULL;
|
|
|
|
|
|
|
|
result = semanage_module_key_create(sh, &modkey);
|
|
|
|
if (result != 0) {
|
|
|
|
goto cleanup_extract;
|
|
|
|
}
|
|
|
|
|
|
|
|
result = semanage_module_key_set_name(sh, modkey, mode_arg);
|
|
|
|
if (result != 0) {
|
|
|
|
goto cleanup_extract;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (priority_set == 0) {
|
|
|
|
result = semanage_module_get_module_info(sh, modkey, &extract_info);
|
|
|
|
if (result != 0) {
|
|
|
|
goto cleanup_extract;
|
|
|
|
}
|
|
|
|
|
|
|
|
semanage_module_info_get_priority(sh, extract_info, &curr_priority);
|
2021-10-04 12:57:19 +00:00
|
|
|
printf("Extracting at highest existing priority '%d'.\n", curr_priority);
|
policycoreutils/semodule: update semodule to allow extracting modules
Add --extract/-E, --cil/-c, and --hll/-H to extract modules. If -c/-H
are not provided, the module will be output as HLL by default. Only
--cil or --hll (which will use the lang_ext in the semodule store) are valid
options to use with -E. The module is written to the current working directory
as <module_name>.<lang_ext>.
If a module exists as HLL and is exported as CIL, it will first compile into
CIL and cache to the module store. Once compiled, exporting will
continue.
If no priority is provided when extracting a module, then extraction at
the default priority, 400, will be attempted. If the module does not
exist at the default priority, then it will be exported at the highest
existing priority.
Examples:
Extract the wireshark module in a .cil format. If the module only exists
as HLL on the system, the module will be compiled into CIL and placed
into the module store. This command will then write wireshark.cil to the CWD.
semodule --cil --extract wireshark
Extract the wireshark module in HLL format. Since the original HLL file
was a policy package, a wireshark.pp will be written to the CWD.
semodule -E wireshark
Extract the wireshark module as CIL and HLL and extract the puppet
module as CIL at priority 400.
semodule --hll -E wireshark --cil -E wireshark -X 400 --cil -E puppet
Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2015-08-06 14:30:14 +00:00
|
|
|
priority = curr_priority;
|
|
|
|
}
|
|
|
|
|
|
|
|
result = semanage_module_key_set_priority(sh, modkey, priority);
|
|
|
|
if (result != 0) {
|
|
|
|
goto cleanup_extract;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (verbose) {
|
|
|
|
printf
|
|
|
|
("Attempting to extract module '%s':\n",
|
|
|
|
mode_arg);
|
|
|
|
}
|
|
|
|
result = semanage_module_extract(sh, modkey, extract_cil, &data, &data_len, &extract_info);
|
|
|
|
if (result != 0) {
|
|
|
|
goto cleanup_extract;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (extract_cil) {
|
|
|
|
lang_ext = "cil";
|
|
|
|
} else {
|
|
|
|
result = semanage_module_info_get_lang_ext(sh, extract_info, &lang_ext);
|
|
|
|
if (result != 0) {
|
|
|
|
goto cleanup_extract;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
result = semanage_module_info_get_name(sh, extract_info, &output_name);
|
|
|
|
if (result != 0) {
|
|
|
|
goto cleanup_extract;
|
|
|
|
}
|
|
|
|
|
|
|
|
rlen = snprintf(output_path, PATH_MAX, "%s.%s", output_name, lang_ext);
|
|
|
|
if (rlen < 0 || rlen >= PATH_MAX) {
|
|
|
|
fprintf(stderr, "%s: Failed to generate output path.\n", argv[0]);
|
|
|
|
result = -1;
|
|
|
|
goto cleanup_extract;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (access(output_path, F_OK) == 0) {
|
|
|
|
fprintf(stderr, "%s: %s is already extracted with extension %s.\n", argv[0], mode_arg, lang_ext);
|
|
|
|
result = -1;
|
|
|
|
goto cleanup_extract;
|
|
|
|
}
|
|
|
|
|
|
|
|
output_fd = fopen(output_path, "w");
|
|
|
|
if (output_fd == NULL) {
|
|
|
|
fprintf(stderr, "%s: Unable to open %s\n", argv[0], output_path);
|
|
|
|
result = -1;
|
|
|
|
goto cleanup_extract;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (fwrite(data, 1, data_len, output_fd) < data_len) {
|
|
|
|
fprintf(stderr, "%s: Unable to write to %s\n", argv[0], output_path);
|
|
|
|
result = -1;
|
|
|
|
goto cleanup_extract;
|
|
|
|
}
|
|
|
|
cleanup_extract:
|
|
|
|
if (output_fd != NULL) {
|
|
|
|
fclose(output_fd);
|
|
|
|
}
|
|
|
|
if (data_len > 0) {
|
|
|
|
munmap(data, data_len);
|
|
|
|
}
|
|
|
|
semanage_module_info_destroy(sh, extract_info);
|
|
|
|
free(extract_info);
|
|
|
|
semanage_module_key_destroy(sh, modkey);
|
|
|
|
free(modkey);
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
case CIL_M:
|
|
|
|
extract_cil = 1;
|
|
|
|
break;
|
|
|
|
case HLL_M:
|
|
|
|
extract_cil = 0;
|
|
|
|
break;
|
2008-08-19 19:30:36 +00:00
|
|
|
case REMOVE_M:{
|
|
|
|
if (verbose) {
|
|
|
|
printf
|
|
|
|
("Attempting to remove module '%s':\n",
|
|
|
|
mode_arg);
|
|
|
|
}
|
|
|
|
result = semanage_module_remove(sh, mode_arg);
|
2009-02-16 16:41:02 +00:00
|
|
|
if ( result == -2 ) {
|
|
|
|
continue;
|
|
|
|
}
|
2008-08-19 19:30:36 +00:00
|
|
|
break;
|
|
|
|
}
|
|
|
|
case LIST_M:{
|
semodule: add priority, enabled, and extended listing
This updates the semodule tool with the ability to set the priority for
commands, to enable/disable modules, and extended module listing options
for displaying extra module information (e.g., priority, enabled status,
and language extension).
[semodule priority]
-X --priority set the priority for following operations
Notes:
* This sets the priority for the following operations.
* It can be used any number of times with its effect continuing until
the next priority is specified.
* The default priority is used if no priority has yet been specified.
Impact on current operations:
* Install module
* Without priority - Install at default priority.
* With priority - Install at specified priority.
* New warning when overriding (issued by libsemanage).
* Upgrade module
* Without priority - Upgrade at default priority (current upgrade
semantics apply).
* With priority - Upgrade at specified priority (current upgrade
semantics apply).
* New warning when overriding (issued by libsemanage).
* Remove module
* Without priority - Remove a module at the default if exists.
* With priority - Remove at that priority.
* New info messages (issued by libsemanage):
* If no modules exist at the given priority but do exist at other
priorities, give an info message listing the modules and priority.
* If a new module at a lower priority will become active print a
message.
* If the last module with this name is being removed print a
message.
* Base
* The name of base module on install is fixed to "_base" (performed by
libsemanage).
* Without priority - Install at default priority.
* With priority - Install at specified priority.
* New warning when overriding (issued by libsemanage).
* List modules
* See listing changes below.
Examples:
semodule -i foo.pp
semodule -X 500 -i foo.pp
[semodule enable/disable]
Add enable/disable status:
-e --enable enable the module (at all priorities)
-d --disable disable the module (at all priorities)
Notes:
* Base modules are always enabled and cannot have their enabled/disabled
status changed.
* New error when disabling a base module (from libsemanage).
* New warning when enabling a base module (from libsemanage).
Impact on current operations:
* Install module
* If a module with that name is already installed, then the enabled
status will remain the same after installing the new module.
* New warning when installing a module which will be disabled by
existing enabled status (from libsemanage).
* Upgrade module
* If a module with that name is already installed, then the enabled
status will remain the same after installing the new module.
* New warning when installing a module which will be disabled by
existing enabled status (from libsemanage).
* Remove module
* When the last module with a given name is removed (no more exist at
other priorities) then the enabled status is forgotten.
* Base
* Base modules are always installed enabled and remain so (can't be
disabled).
* List modules
* See listing changes below.
Examples:
semodule -e foo
semodule -d foo
[semodule list]
-l --list list modules as if by -lstandard
-lstandard --list=standard list name and version of highest priority,
enabled, non-base modules sorted alphabetical
by name
-lfull --list=full list all fields of all modules columnated
sorted high priority to low, within priority
alphabetical by name
Impact on current operations:
* List modules
* Default listing stays the same.
* New long options for 'standard' and 'full'.
Examples:
semodule -l
semodule -lstandard
semodule --list=standard
alsa 1.7.1
apm 1.9.1
apt 1.5.2
authlogin 2.0.0
avahi 1.10.3
bluetooth 3.1.3
...
semodule -lfull
semodule --list=full
600 alsa 1.7.1 disabled pp
400 _base 1.0.0 pp
400 alsa 1.7.1 disabled pp
400 apm 1.9.1 pp
400 apt 1.5.2 pp
400 authlogin 2.0.0 pp
...
100 alsa 1.7.1 disabled pp
Signed-off-by: Chad Sellers <csellers@tresys.com>
2009-12-23 23:25:59 +00:00
|
|
|
semanage_module_info_t *modinfos = NULL;
|
|
|
|
int modinfos_len = 0;
|
|
|
|
semanage_module_info_t *m = NULL;
|
|
|
|
int j = 0;
|
2021-11-16 13:27:11 +00:00
|
|
|
char *module_checksum = NULL;
|
|
|
|
uint16_t pri = 0;
|
semodule: add priority, enabled, and extended listing
This updates the semodule tool with the ability to set the priority for
commands, to enable/disable modules, and extended module listing options
for displaying extra module information (e.g., priority, enabled status,
and language extension).
[semodule priority]
-X --priority set the priority for following operations
Notes:
* This sets the priority for the following operations.
* It can be used any number of times with its effect continuing until
the next priority is specified.
* The default priority is used if no priority has yet been specified.
Impact on current operations:
* Install module
* Without priority - Install at default priority.
* With priority - Install at specified priority.
* New warning when overriding (issued by libsemanage).
* Upgrade module
* Without priority - Upgrade at default priority (current upgrade
semantics apply).
* With priority - Upgrade at specified priority (current upgrade
semantics apply).
* New warning when overriding (issued by libsemanage).
* Remove module
* Without priority - Remove a module at the default if exists.
* With priority - Remove at that priority.
* New info messages (issued by libsemanage):
* If no modules exist at the given priority but do exist at other
priorities, give an info message listing the modules and priority.
* If a new module at a lower priority will become active print a
message.
* If the last module with this name is being removed print a
message.
* Base
* The name of base module on install is fixed to "_base" (performed by
libsemanage).
* Without priority - Install at default priority.
* With priority - Install at specified priority.
* New warning when overriding (issued by libsemanage).
* List modules
* See listing changes below.
Examples:
semodule -i foo.pp
semodule -X 500 -i foo.pp
[semodule enable/disable]
Add enable/disable status:
-e --enable enable the module (at all priorities)
-d --disable disable the module (at all priorities)
Notes:
* Base modules are always enabled and cannot have their enabled/disabled
status changed.
* New error when disabling a base module (from libsemanage).
* New warning when enabling a base module (from libsemanage).
Impact on current operations:
* Install module
* If a module with that name is already installed, then the enabled
status will remain the same after installing the new module.
* New warning when installing a module which will be disabled by
existing enabled status (from libsemanage).
* Upgrade module
* If a module with that name is already installed, then the enabled
status will remain the same after installing the new module.
* New warning when installing a module which will be disabled by
existing enabled status (from libsemanage).
* Remove module
* When the last module with a given name is removed (no more exist at
other priorities) then the enabled status is forgotten.
* Base
* Base modules are always installed enabled and remain so (can't be
disabled).
* List modules
* See listing changes below.
Examples:
semodule -e foo
semodule -d foo
[semodule list]
-l --list list modules as if by -lstandard
-lstandard --list=standard list name and version of highest priority,
enabled, non-base modules sorted alphabetical
by name
-lfull --list=full list all fields of all modules columnated
sorted high priority to low, within priority
alphabetical by name
Impact on current operations:
* List modules
* Default listing stays the same.
* New long options for 'standard' and 'full'.
Examples:
semodule -l
semodule -lstandard
semodule --list=standard
alsa 1.7.1
apm 1.9.1
apt 1.5.2
authlogin 2.0.0
avahi 1.10.3
bluetooth 3.1.3
...
semodule -lfull
semodule --list=full
600 alsa 1.7.1 disabled pp
400 _base 1.0.0 pp
400 alsa 1.7.1 disabled pp
400 apm 1.9.1 pp
400 apt 1.5.2 pp
400 authlogin 2.0.0 pp
...
100 alsa 1.7.1 disabled pp
Signed-off-by: Chad Sellers <csellers@tresys.com>
2009-12-23 23:25:59 +00:00
|
|
|
|
2008-08-19 19:30:36 +00:00
|
|
|
if (verbose) {
|
|
|
|
printf
|
|
|
|
("Attempting to list active modules:\n");
|
|
|
|
}
|
semodule: add priority, enabled, and extended listing
This updates the semodule tool with the ability to set the priority for
commands, to enable/disable modules, and extended module listing options
for displaying extra module information (e.g., priority, enabled status,
and language extension).
[semodule priority]
-X --priority set the priority for following operations
Notes:
* This sets the priority for the following operations.
* It can be used any number of times with its effect continuing until
the next priority is specified.
* The default priority is used if no priority has yet been specified.
Impact on current operations:
* Install module
* Without priority - Install at default priority.
* With priority - Install at specified priority.
* New warning when overriding (issued by libsemanage).
* Upgrade module
* Without priority - Upgrade at default priority (current upgrade
semantics apply).
* With priority - Upgrade at specified priority (current upgrade
semantics apply).
* New warning when overriding (issued by libsemanage).
* Remove module
* Without priority - Remove a module at the default if exists.
* With priority - Remove at that priority.
* New info messages (issued by libsemanage):
* If no modules exist at the given priority but do exist at other
priorities, give an info message listing the modules and priority.
* If a new module at a lower priority will become active print a
message.
* If the last module with this name is being removed print a
message.
* Base
* The name of base module on install is fixed to "_base" (performed by
libsemanage).
* Without priority - Install at default priority.
* With priority - Install at specified priority.
* New warning when overriding (issued by libsemanage).
* List modules
* See listing changes below.
Examples:
semodule -i foo.pp
semodule -X 500 -i foo.pp
[semodule enable/disable]
Add enable/disable status:
-e --enable enable the module (at all priorities)
-d --disable disable the module (at all priorities)
Notes:
* Base modules are always enabled and cannot have their enabled/disabled
status changed.
* New error when disabling a base module (from libsemanage).
* New warning when enabling a base module (from libsemanage).
Impact on current operations:
* Install module
* If a module with that name is already installed, then the enabled
status will remain the same after installing the new module.
* New warning when installing a module which will be disabled by
existing enabled status (from libsemanage).
* Upgrade module
* If a module with that name is already installed, then the enabled
status will remain the same after installing the new module.
* New warning when installing a module which will be disabled by
existing enabled status (from libsemanage).
* Remove module
* When the last module with a given name is removed (no more exist at
other priorities) then the enabled status is forgotten.
* Base
* Base modules are always installed enabled and remain so (can't be
disabled).
* List modules
* See listing changes below.
Examples:
semodule -e foo
semodule -d foo
[semodule list]
-l --list list modules as if by -lstandard
-lstandard --list=standard list name and version of highest priority,
enabled, non-base modules sorted alphabetical
by name
-lfull --list=full list all fields of all modules columnated
sorted high priority to low, within priority
alphabetical by name
Impact on current operations:
* List modules
* Default listing stays the same.
* New long options for 'standard' and 'full'.
Examples:
semodule -l
semodule -lstandard
semodule --list=standard
alsa 1.7.1
apm 1.9.1
apt 1.5.2
authlogin 2.0.0
avahi 1.10.3
bluetooth 3.1.3
...
semodule -lfull
semodule --list=full
600 alsa 1.7.1 disabled pp
400 _base 1.0.0 pp
400 alsa 1.7.1 disabled pp
400 apm 1.9.1 pp
400 apt 1.5.2 pp
400 authlogin 2.0.0 pp
...
100 alsa 1.7.1 disabled pp
Signed-off-by: Chad Sellers <csellers@tresys.com>
2009-12-23 23:25:59 +00:00
|
|
|
|
|
|
|
if (mode_arg == NULL || strcmp(mode_arg, "standard") == 0) {
|
|
|
|
result = semanage_module_list(sh,
|
|
|
|
&modinfos,
|
|
|
|
&modinfos_len);
|
|
|
|
if (result < 0) goto cleanup_list;
|
|
|
|
|
|
|
|
if (modinfos_len == 0) {
|
2008-08-19 19:30:36 +00:00
|
|
|
printf("No modules.\n");
|
|
|
|
}
|
semodule: add priority, enabled, and extended listing
This updates the semodule tool with the ability to set the priority for
commands, to enable/disable modules, and extended module listing options
for displaying extra module information (e.g., priority, enabled status,
and language extension).
[semodule priority]
-X --priority set the priority for following operations
Notes:
* This sets the priority for the following operations.
* It can be used any number of times with its effect continuing until
the next priority is specified.
* The default priority is used if no priority has yet been specified.
Impact on current operations:
* Install module
* Without priority - Install at default priority.
* With priority - Install at specified priority.
* New warning when overriding (issued by libsemanage).
* Upgrade module
* Without priority - Upgrade at default priority (current upgrade
semantics apply).
* With priority - Upgrade at specified priority (current upgrade
semantics apply).
* New warning when overriding (issued by libsemanage).
* Remove module
* Without priority - Remove a module at the default if exists.
* With priority - Remove at that priority.
* New info messages (issued by libsemanage):
* If no modules exist at the given priority but do exist at other
priorities, give an info message listing the modules and priority.
* If a new module at a lower priority will become active print a
message.
* If the last module with this name is being removed print a
message.
* Base
* The name of base module on install is fixed to "_base" (performed by
libsemanage).
* Without priority - Install at default priority.
* With priority - Install at specified priority.
* New warning when overriding (issued by libsemanage).
* List modules
* See listing changes below.
Examples:
semodule -i foo.pp
semodule -X 500 -i foo.pp
[semodule enable/disable]
Add enable/disable status:
-e --enable enable the module (at all priorities)
-d --disable disable the module (at all priorities)
Notes:
* Base modules are always enabled and cannot have their enabled/disabled
status changed.
* New error when disabling a base module (from libsemanage).
* New warning when enabling a base module (from libsemanage).
Impact on current operations:
* Install module
* If a module with that name is already installed, then the enabled
status will remain the same after installing the new module.
* New warning when installing a module which will be disabled by
existing enabled status (from libsemanage).
* Upgrade module
* If a module with that name is already installed, then the enabled
status will remain the same after installing the new module.
* New warning when installing a module which will be disabled by
existing enabled status (from libsemanage).
* Remove module
* When the last module with a given name is removed (no more exist at
other priorities) then the enabled status is forgotten.
* Base
* Base modules are always installed enabled and remain so (can't be
disabled).
* List modules
* See listing changes below.
Examples:
semodule -e foo
semodule -d foo
[semodule list]
-l --list list modules as if by -lstandard
-lstandard --list=standard list name and version of highest priority,
enabled, non-base modules sorted alphabetical
by name
-lfull --list=full list all fields of all modules columnated
sorted high priority to low, within priority
alphabetical by name
Impact on current operations:
* List modules
* Default listing stays the same.
* New long options for 'standard' and 'full'.
Examples:
semodule -l
semodule -lstandard
semodule --list=standard
alsa 1.7.1
apm 1.9.1
apt 1.5.2
authlogin 2.0.0
avahi 1.10.3
bluetooth 3.1.3
...
semodule -lfull
semodule --list=full
600 alsa 1.7.1 disabled pp
400 _base 1.0.0 pp
400 alsa 1.7.1 disabled pp
400 apm 1.9.1 pp
400 apt 1.5.2 pp
400 authlogin 2.0.0 pp
...
100 alsa 1.7.1 disabled pp
Signed-off-by: Chad Sellers <csellers@tresys.com>
2009-12-23 23:25:59 +00:00
|
|
|
|
|
|
|
const char *name = NULL;
|
|
|
|
|
|
|
|
for (j = 0; j < modinfos_len; j++) {
|
|
|
|
m = semanage_module_list_nth(modinfos, j);
|
|
|
|
|
|
|
|
result = semanage_module_info_get_name(sh, m, &name);
|
|
|
|
if (result != 0) goto cleanup_list;
|
|
|
|
|
2021-11-16 13:27:11 +00:00
|
|
|
result = semanage_module_info_get_priority(sh, m, &pri);
|
|
|
|
if (result != 0) goto cleanup_list;
|
|
|
|
|
|
|
|
printf("%s", name);
|
|
|
|
if (checksum) {
|
|
|
|
module_checksum = hash_module_data(name, pri);
|
|
|
|
if (module_checksum) {
|
|
|
|
printf(" %s", module_checksum);
|
|
|
|
free(module_checksum);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
printf("\n");
|
2008-08-19 19:30:36 +00:00
|
|
|
}
|
|
|
|
}
|
semodule: add priority, enabled, and extended listing
This updates the semodule tool with the ability to set the priority for
commands, to enable/disable modules, and extended module listing options
for displaying extra module information (e.g., priority, enabled status,
and language extension).
[semodule priority]
-X --priority set the priority for following operations
Notes:
* This sets the priority for the following operations.
* It can be used any number of times with its effect continuing until
the next priority is specified.
* The default priority is used if no priority has yet been specified.
Impact on current operations:
* Install module
* Without priority - Install at default priority.
* With priority - Install at specified priority.
* New warning when overriding (issued by libsemanage).
* Upgrade module
* Without priority - Upgrade at default priority (current upgrade
semantics apply).
* With priority - Upgrade at specified priority (current upgrade
semantics apply).
* New warning when overriding (issued by libsemanage).
* Remove module
* Without priority - Remove a module at the default if exists.
* With priority - Remove at that priority.
* New info messages (issued by libsemanage):
* If no modules exist at the given priority but do exist at other
priorities, give an info message listing the modules and priority.
* If a new module at a lower priority will become active print a
message.
* If the last module with this name is being removed print a
message.
* Base
* The name of base module on install is fixed to "_base" (performed by
libsemanage).
* Without priority - Install at default priority.
* With priority - Install at specified priority.
* New warning when overriding (issued by libsemanage).
* List modules
* See listing changes below.
Examples:
semodule -i foo.pp
semodule -X 500 -i foo.pp
[semodule enable/disable]
Add enable/disable status:
-e --enable enable the module (at all priorities)
-d --disable disable the module (at all priorities)
Notes:
* Base modules are always enabled and cannot have their enabled/disabled
status changed.
* New error when disabling a base module (from libsemanage).
* New warning when enabling a base module (from libsemanage).
Impact on current operations:
* Install module
* If a module with that name is already installed, then the enabled
status will remain the same after installing the new module.
* New warning when installing a module which will be disabled by
existing enabled status (from libsemanage).
* Upgrade module
* If a module with that name is already installed, then the enabled
status will remain the same after installing the new module.
* New warning when installing a module which will be disabled by
existing enabled status (from libsemanage).
* Remove module
* When the last module with a given name is removed (no more exist at
other priorities) then the enabled status is forgotten.
* Base
* Base modules are always installed enabled and remain so (can't be
disabled).
* List modules
* See listing changes below.
Examples:
semodule -e foo
semodule -d foo
[semodule list]
-l --list list modules as if by -lstandard
-lstandard --list=standard list name and version of highest priority,
enabled, non-base modules sorted alphabetical
by name
-lfull --list=full list all fields of all modules columnated
sorted high priority to low, within priority
alphabetical by name
Impact on current operations:
* List modules
* Default listing stays the same.
* New long options for 'standard' and 'full'.
Examples:
semodule -l
semodule -lstandard
semodule --list=standard
alsa 1.7.1
apm 1.9.1
apt 1.5.2
authlogin 2.0.0
avahi 1.10.3
bluetooth 3.1.3
...
semodule -lfull
semodule --list=full
600 alsa 1.7.1 disabled pp
400 _base 1.0.0 pp
400 alsa 1.7.1 disabled pp
400 apm 1.9.1 pp
400 apt 1.5.2 pp
400 authlogin 2.0.0 pp
...
100 alsa 1.7.1 disabled pp
Signed-off-by: Chad Sellers <csellers@tresys.com>
2009-12-23 23:25:59 +00:00
|
|
|
else if (strcmp(mode_arg, "full") == 0) {
|
|
|
|
/* get the modules */
|
|
|
|
result = semanage_module_list_all(sh,
|
|
|
|
&modinfos,
|
|
|
|
&modinfos_len);
|
|
|
|
if (result != 0) goto cleanup_list;
|
|
|
|
|
|
|
|
if (modinfos_len == 0) {
|
|
|
|
printf("No modules.\n");
|
|
|
|
}
|
|
|
|
|
|
|
|
/* calculate column widths */
|
2021-11-16 13:27:11 +00:00
|
|
|
size_t column[5] = { 0, 0, 0, 0, 0 };
|
semodule: add priority, enabled, and extended listing
This updates the semodule tool with the ability to set the priority for
commands, to enable/disable modules, and extended module listing options
for displaying extra module information (e.g., priority, enabled status,
and language extension).
[semodule priority]
-X --priority set the priority for following operations
Notes:
* This sets the priority for the following operations.
* It can be used any number of times with its effect continuing until
the next priority is specified.
* The default priority is used if no priority has yet been specified.
Impact on current operations:
* Install module
* Without priority - Install at default priority.
* With priority - Install at specified priority.
* New warning when overriding (issued by libsemanage).
* Upgrade module
* Without priority - Upgrade at default priority (current upgrade
semantics apply).
* With priority - Upgrade at specified priority (current upgrade
semantics apply).
* New warning when overriding (issued by libsemanage).
* Remove module
* Without priority - Remove a module at the default if exists.
* With priority - Remove at that priority.
* New info messages (issued by libsemanage):
* If no modules exist at the given priority but do exist at other
priorities, give an info message listing the modules and priority.
* If a new module at a lower priority will become active print a
message.
* If the last module with this name is being removed print a
message.
* Base
* The name of base module on install is fixed to "_base" (performed by
libsemanage).
* Without priority - Install at default priority.
* With priority - Install at specified priority.
* New warning when overriding (issued by libsemanage).
* List modules
* See listing changes below.
Examples:
semodule -i foo.pp
semodule -X 500 -i foo.pp
[semodule enable/disable]
Add enable/disable status:
-e --enable enable the module (at all priorities)
-d --disable disable the module (at all priorities)
Notes:
* Base modules are always enabled and cannot have their enabled/disabled
status changed.
* New error when disabling a base module (from libsemanage).
* New warning when enabling a base module (from libsemanage).
Impact on current operations:
* Install module
* If a module with that name is already installed, then the enabled
status will remain the same after installing the new module.
* New warning when installing a module which will be disabled by
existing enabled status (from libsemanage).
* Upgrade module
* If a module with that name is already installed, then the enabled
status will remain the same after installing the new module.
* New warning when installing a module which will be disabled by
existing enabled status (from libsemanage).
* Remove module
* When the last module with a given name is removed (no more exist at
other priorities) then the enabled status is forgotten.
* Base
* Base modules are always installed enabled and remain so (can't be
disabled).
* List modules
* See listing changes below.
Examples:
semodule -e foo
semodule -d foo
[semodule list]
-l --list list modules as if by -lstandard
-lstandard --list=standard list name and version of highest priority,
enabled, non-base modules sorted alphabetical
by name
-lfull --list=full list all fields of all modules columnated
sorted high priority to low, within priority
alphabetical by name
Impact on current operations:
* List modules
* Default listing stays the same.
* New long options for 'standard' and 'full'.
Examples:
semodule -l
semodule -lstandard
semodule --list=standard
alsa 1.7.1
apm 1.9.1
apt 1.5.2
authlogin 2.0.0
avahi 1.10.3
bluetooth 3.1.3
...
semodule -lfull
semodule --list=full
600 alsa 1.7.1 disabled pp
400 _base 1.0.0 pp
400 alsa 1.7.1 disabled pp
400 apm 1.9.1 pp
400 apt 1.5.2 pp
400 authlogin 2.0.0 pp
...
100 alsa 1.7.1 disabled pp
Signed-off-by: Chad Sellers <csellers@tresys.com>
2009-12-23 23:25:59 +00:00
|
|
|
|
|
|
|
/* fixed width columns */
|
|
|
|
column[0] = sizeof("000") - 1;
|
2014-05-16 20:49:00 +00:00
|
|
|
column[3] = sizeof("disabled") - 1;
|
2021-11-16 13:27:11 +00:00
|
|
|
column[4] = 64; /* SHA256_HASH_SIZE * 2 */
|
semodule: add priority, enabled, and extended listing
This updates the semodule tool with the ability to set the priority for
commands, to enable/disable modules, and extended module listing options
for displaying extra module information (e.g., priority, enabled status,
and language extension).
[semodule priority]
-X --priority set the priority for following operations
Notes:
* This sets the priority for the following operations.
* It can be used any number of times with its effect continuing until
the next priority is specified.
* The default priority is used if no priority has yet been specified.
Impact on current operations:
* Install module
* Without priority - Install at default priority.
* With priority - Install at specified priority.
* New warning when overriding (issued by libsemanage).
* Upgrade module
* Without priority - Upgrade at default priority (current upgrade
semantics apply).
* With priority - Upgrade at specified priority (current upgrade
semantics apply).
* New warning when overriding (issued by libsemanage).
* Remove module
* Without priority - Remove a module at the default if exists.
* With priority - Remove at that priority.
* New info messages (issued by libsemanage):
* If no modules exist at the given priority but do exist at other
priorities, give an info message listing the modules and priority.
* If a new module at a lower priority will become active print a
message.
* If the last module with this name is being removed print a
message.
* Base
* The name of base module on install is fixed to "_base" (performed by
libsemanage).
* Without priority - Install at default priority.
* With priority - Install at specified priority.
* New warning when overriding (issued by libsemanage).
* List modules
* See listing changes below.
Examples:
semodule -i foo.pp
semodule -X 500 -i foo.pp
[semodule enable/disable]
Add enable/disable status:
-e --enable enable the module (at all priorities)
-d --disable disable the module (at all priorities)
Notes:
* Base modules are always enabled and cannot have their enabled/disabled
status changed.
* New error when disabling a base module (from libsemanage).
* New warning when enabling a base module (from libsemanage).
Impact on current operations:
* Install module
* If a module with that name is already installed, then the enabled
status will remain the same after installing the new module.
* New warning when installing a module which will be disabled by
existing enabled status (from libsemanage).
* Upgrade module
* If a module with that name is already installed, then the enabled
status will remain the same after installing the new module.
* New warning when installing a module which will be disabled by
existing enabled status (from libsemanage).
* Remove module
* When the last module with a given name is removed (no more exist at
other priorities) then the enabled status is forgotten.
* Base
* Base modules are always installed enabled and remain so (can't be
disabled).
* List modules
* See listing changes below.
Examples:
semodule -e foo
semodule -d foo
[semodule list]
-l --list list modules as if by -lstandard
-lstandard --list=standard list name and version of highest priority,
enabled, non-base modules sorted alphabetical
by name
-lfull --list=full list all fields of all modules columnated
sorted high priority to low, within priority
alphabetical by name
Impact on current operations:
* List modules
* Default listing stays the same.
* New long options for 'standard' and 'full'.
Examples:
semodule -l
semodule -lstandard
semodule --list=standard
alsa 1.7.1
apm 1.9.1
apt 1.5.2
authlogin 2.0.0
avahi 1.10.3
bluetooth 3.1.3
...
semodule -lfull
semodule --list=full
600 alsa 1.7.1 disabled pp
400 _base 1.0.0 pp
400 alsa 1.7.1 disabled pp
400 apm 1.9.1 pp
400 apt 1.5.2 pp
400 authlogin 2.0.0 pp
...
100 alsa 1.7.1 disabled pp
Signed-off-by: Chad Sellers <csellers@tresys.com>
2009-12-23 23:25:59 +00:00
|
|
|
|
|
|
|
/* variable width columns */
|
|
|
|
const char *tmp = NULL;
|
|
|
|
size_t size;
|
|
|
|
for (j = 0; j < modinfos_len; j++) {
|
|
|
|
m = semanage_module_list_nth(modinfos, j);
|
|
|
|
|
|
|
|
result = semanage_module_info_get_name(sh, m, &tmp);
|
|
|
|
if (result != 0) goto cleanup_list;
|
|
|
|
|
|
|
|
size = strlen(tmp);
|
|
|
|
if (size > column[1]) column[1] = size;
|
|
|
|
|
|
|
|
result = semanage_module_info_get_lang_ext(sh, m, &tmp);
|
|
|
|
if (result != 0) goto cleanup_list;
|
|
|
|
|
|
|
|
size = strlen(tmp);
|
2021-11-16 15:11:22 +00:00
|
|
|
if (size > column[2]) column[2] = size;
|
semodule: add priority, enabled, and extended listing
This updates the semodule tool with the ability to set the priority for
commands, to enable/disable modules, and extended module listing options
for displaying extra module information (e.g., priority, enabled status,
and language extension).
[semodule priority]
-X --priority set the priority for following operations
Notes:
* This sets the priority for the following operations.
* It can be used any number of times with its effect continuing until
the next priority is specified.
* The default priority is used if no priority has yet been specified.
Impact on current operations:
* Install module
* Without priority - Install at default priority.
* With priority - Install at specified priority.
* New warning when overriding (issued by libsemanage).
* Upgrade module
* Without priority - Upgrade at default priority (current upgrade
semantics apply).
* With priority - Upgrade at specified priority (current upgrade
semantics apply).
* New warning when overriding (issued by libsemanage).
* Remove module
* Without priority - Remove a module at the default if exists.
* With priority - Remove at that priority.
* New info messages (issued by libsemanage):
* If no modules exist at the given priority but do exist at other
priorities, give an info message listing the modules and priority.
* If a new module at a lower priority will become active print a
message.
* If the last module with this name is being removed print a
message.
* Base
* The name of base module on install is fixed to "_base" (performed by
libsemanage).
* Without priority - Install at default priority.
* With priority - Install at specified priority.
* New warning when overriding (issued by libsemanage).
* List modules
* See listing changes below.
Examples:
semodule -i foo.pp
semodule -X 500 -i foo.pp
[semodule enable/disable]
Add enable/disable status:
-e --enable enable the module (at all priorities)
-d --disable disable the module (at all priorities)
Notes:
* Base modules are always enabled and cannot have their enabled/disabled
status changed.
* New error when disabling a base module (from libsemanage).
* New warning when enabling a base module (from libsemanage).
Impact on current operations:
* Install module
* If a module with that name is already installed, then the enabled
status will remain the same after installing the new module.
* New warning when installing a module which will be disabled by
existing enabled status (from libsemanage).
* Upgrade module
* If a module with that name is already installed, then the enabled
status will remain the same after installing the new module.
* New warning when installing a module which will be disabled by
existing enabled status (from libsemanage).
* Remove module
* When the last module with a given name is removed (no more exist at
other priorities) then the enabled status is forgotten.
* Base
* Base modules are always installed enabled and remain so (can't be
disabled).
* List modules
* See listing changes below.
Examples:
semodule -e foo
semodule -d foo
[semodule list]
-l --list list modules as if by -lstandard
-lstandard --list=standard list name and version of highest priority,
enabled, non-base modules sorted alphabetical
by name
-lfull --list=full list all fields of all modules columnated
sorted high priority to low, within priority
alphabetical by name
Impact on current operations:
* List modules
* Default listing stays the same.
* New long options for 'standard' and 'full'.
Examples:
semodule -l
semodule -lstandard
semodule --list=standard
alsa 1.7.1
apm 1.9.1
apt 1.5.2
authlogin 2.0.0
avahi 1.10.3
bluetooth 3.1.3
...
semodule -lfull
semodule --list=full
600 alsa 1.7.1 disabled pp
400 _base 1.0.0 pp
400 alsa 1.7.1 disabled pp
400 apm 1.9.1 pp
400 apt 1.5.2 pp
400 authlogin 2.0.0 pp
...
100 alsa 1.7.1 disabled pp
Signed-off-by: Chad Sellers <csellers@tresys.com>
2009-12-23 23:25:59 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
/* print out each module */
|
|
|
|
for (j = 0; j < modinfos_len; j++) {
|
|
|
|
const char *name = NULL;
|
|
|
|
int enabled = 0;
|
|
|
|
const char *lang_ext = NULL;
|
|
|
|
|
|
|
|
m = semanage_module_list_nth(modinfos, j);
|
|
|
|
|
|
|
|
result = semanage_module_info_get_priority(sh, m, &pri);
|
|
|
|
if (result != 0) goto cleanup_list;
|
|
|
|
|
|
|
|
result = semanage_module_info_get_name(sh, m, &name);
|
|
|
|
if (result != 0) goto cleanup_list;
|
|
|
|
|
|
|
|
result = semanage_module_info_get_enabled(sh, m, &enabled);
|
|
|
|
if (result != 0) goto cleanup_list;
|
|
|
|
|
|
|
|
result = semanage_module_info_get_lang_ext(sh, m, &lang_ext);
|
|
|
|
if (result != 0) goto cleanup_list;
|
|
|
|
|
2021-11-16 13:27:11 +00:00
|
|
|
printf("%0*u %-*s %-*s %-*s",
|
semodule: add priority, enabled, and extended listing
This updates the semodule tool with the ability to set the priority for
commands, to enable/disable modules, and extended module listing options
for displaying extra module information (e.g., priority, enabled status,
and language extension).
[semodule priority]
-X --priority set the priority for following operations
Notes:
* This sets the priority for the following operations.
* It can be used any number of times with its effect continuing until
the next priority is specified.
* The default priority is used if no priority has yet been specified.
Impact on current operations:
* Install module
* Without priority - Install at default priority.
* With priority - Install at specified priority.
* New warning when overriding (issued by libsemanage).
* Upgrade module
* Without priority - Upgrade at default priority (current upgrade
semantics apply).
* With priority - Upgrade at specified priority (current upgrade
semantics apply).
* New warning when overriding (issued by libsemanage).
* Remove module
* Without priority - Remove a module at the default if exists.
* With priority - Remove at that priority.
* New info messages (issued by libsemanage):
* If no modules exist at the given priority but do exist at other
priorities, give an info message listing the modules and priority.
* If a new module at a lower priority will become active print a
message.
* If the last module with this name is being removed print a
message.
* Base
* The name of base module on install is fixed to "_base" (performed by
libsemanage).
* Without priority - Install at default priority.
* With priority - Install at specified priority.
* New warning when overriding (issued by libsemanage).
* List modules
* See listing changes below.
Examples:
semodule -i foo.pp
semodule -X 500 -i foo.pp
[semodule enable/disable]
Add enable/disable status:
-e --enable enable the module (at all priorities)
-d --disable disable the module (at all priorities)
Notes:
* Base modules are always enabled and cannot have their enabled/disabled
status changed.
* New error when disabling a base module (from libsemanage).
* New warning when enabling a base module (from libsemanage).
Impact on current operations:
* Install module
* If a module with that name is already installed, then the enabled
status will remain the same after installing the new module.
* New warning when installing a module which will be disabled by
existing enabled status (from libsemanage).
* Upgrade module
* If a module with that name is already installed, then the enabled
status will remain the same after installing the new module.
* New warning when installing a module which will be disabled by
existing enabled status (from libsemanage).
* Remove module
* When the last module with a given name is removed (no more exist at
other priorities) then the enabled status is forgotten.
* Base
* Base modules are always installed enabled and remain so (can't be
disabled).
* List modules
* See listing changes below.
Examples:
semodule -e foo
semodule -d foo
[semodule list]
-l --list list modules as if by -lstandard
-lstandard --list=standard list name and version of highest priority,
enabled, non-base modules sorted alphabetical
by name
-lfull --list=full list all fields of all modules columnated
sorted high priority to low, within priority
alphabetical by name
Impact on current operations:
* List modules
* Default listing stays the same.
* New long options for 'standard' and 'full'.
Examples:
semodule -l
semodule -lstandard
semodule --list=standard
alsa 1.7.1
apm 1.9.1
apt 1.5.2
authlogin 2.0.0
avahi 1.10.3
bluetooth 3.1.3
...
semodule -lfull
semodule --list=full
600 alsa 1.7.1 disabled pp
400 _base 1.0.0 pp
400 alsa 1.7.1 disabled pp
400 apm 1.9.1 pp
400 apt 1.5.2 pp
400 authlogin 2.0.0 pp
...
100 alsa 1.7.1 disabled pp
Signed-off-by: Chad Sellers <csellers@tresys.com>
2009-12-23 23:25:59 +00:00
|
|
|
(int)column[0], pri,
|
|
|
|
(int)column[1], name,
|
2014-05-16 20:49:00 +00:00
|
|
|
(int)column[2], lang_ext,
|
|
|
|
(int)column[3], enabled ? "" : "disabled");
|
2021-11-16 13:27:11 +00:00
|
|
|
if (checksum) {
|
|
|
|
module_checksum = hash_module_data(name, pri);
|
|
|
|
if (module_checksum) {
|
|
|
|
printf(" %-*s", (int)column[4], module_checksum);
|
|
|
|
free(module_checksum);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
printf("\n");
|
|
|
|
|
semodule: add priority, enabled, and extended listing
This updates the semodule tool with the ability to set the priority for
commands, to enable/disable modules, and extended module listing options
for displaying extra module information (e.g., priority, enabled status,
and language extension).
[semodule priority]
-X --priority set the priority for following operations
Notes:
* This sets the priority for the following operations.
* It can be used any number of times with its effect continuing until
the next priority is specified.
* The default priority is used if no priority has yet been specified.
Impact on current operations:
* Install module
* Without priority - Install at default priority.
* With priority - Install at specified priority.
* New warning when overriding (issued by libsemanage).
* Upgrade module
* Without priority - Upgrade at default priority (current upgrade
semantics apply).
* With priority - Upgrade at specified priority (current upgrade
semantics apply).
* New warning when overriding (issued by libsemanage).
* Remove module
* Without priority - Remove a module at the default if exists.
* With priority - Remove at that priority.
* New info messages (issued by libsemanage):
* If no modules exist at the given priority but do exist at other
priorities, give an info message listing the modules and priority.
* If a new module at a lower priority will become active print a
message.
* If the last module with this name is being removed print a
message.
* Base
* The name of base module on install is fixed to "_base" (performed by
libsemanage).
* Without priority - Install at default priority.
* With priority - Install at specified priority.
* New warning when overriding (issued by libsemanage).
* List modules
* See listing changes below.
Examples:
semodule -i foo.pp
semodule -X 500 -i foo.pp
[semodule enable/disable]
Add enable/disable status:
-e --enable enable the module (at all priorities)
-d --disable disable the module (at all priorities)
Notes:
* Base modules are always enabled and cannot have their enabled/disabled
status changed.
* New error when disabling a base module (from libsemanage).
* New warning when enabling a base module (from libsemanage).
Impact on current operations:
* Install module
* If a module with that name is already installed, then the enabled
status will remain the same after installing the new module.
* New warning when installing a module which will be disabled by
existing enabled status (from libsemanage).
* Upgrade module
* If a module with that name is already installed, then the enabled
status will remain the same after installing the new module.
* New warning when installing a module which will be disabled by
existing enabled status (from libsemanage).
* Remove module
* When the last module with a given name is removed (no more exist at
other priorities) then the enabled status is forgotten.
* Base
* Base modules are always installed enabled and remain so (can't be
disabled).
* List modules
* See listing changes below.
Examples:
semodule -e foo
semodule -d foo
[semodule list]
-l --list list modules as if by -lstandard
-lstandard --list=standard list name and version of highest priority,
enabled, non-base modules sorted alphabetical
by name
-lfull --list=full list all fields of all modules columnated
sorted high priority to low, within priority
alphabetical by name
Impact on current operations:
* List modules
* Default listing stays the same.
* New long options for 'standard' and 'full'.
Examples:
semodule -l
semodule -lstandard
semodule --list=standard
alsa 1.7.1
apm 1.9.1
apt 1.5.2
authlogin 2.0.0
avahi 1.10.3
bluetooth 3.1.3
...
semodule -lfull
semodule --list=full
600 alsa 1.7.1 disabled pp
400 _base 1.0.0 pp
400 alsa 1.7.1 disabled pp
400 apm 1.9.1 pp
400 apt 1.5.2 pp
400 authlogin 2.0.0 pp
...
100 alsa 1.7.1 disabled pp
Signed-off-by: Chad Sellers <csellers@tresys.com>
2009-12-23 23:25:59 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
else {
|
|
|
|
result = -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
cleanup_list:
|
|
|
|
for (j = 0; j < modinfos_len; j++) {
|
|
|
|
m = semanage_module_list_nth(modinfos, j);
|
|
|
|
semanage_module_info_destroy(sh, m);
|
|
|
|
}
|
|
|
|
|
|
|
|
free(modinfos);
|
|
|
|
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
case PRIORITY_M:{
|
|
|
|
char *endptr = NULL;
|
|
|
|
priority = (uint16_t)strtoul(mode_arg, &endptr, 10);
|
policycoreutils/semodule: update semodule to allow extracting modules
Add --extract/-E, --cil/-c, and --hll/-H to extract modules. If -c/-H
are not provided, the module will be output as HLL by default. Only
--cil or --hll (which will use the lang_ext in the semodule store) are valid
options to use with -E. The module is written to the current working directory
as <module_name>.<lang_ext>.
If a module exists as HLL and is exported as CIL, it will first compile into
CIL and cache to the module store. Once compiled, exporting will
continue.
If no priority is provided when extracting a module, then extraction at
the default priority, 400, will be attempted. If the module does not
exist at the default priority, then it will be exported at the highest
existing priority.
Examples:
Extract the wireshark module in a .cil format. If the module only exists
as HLL on the system, the module will be compiled into CIL and placed
into the module store. This command will then write wireshark.cil to the CWD.
semodule --cil --extract wireshark
Extract the wireshark module in HLL format. Since the original HLL file
was a policy package, a wireshark.pp will be written to the CWD.
semodule -E wireshark
Extract the wireshark module as CIL and HLL and extract the puppet
module as CIL at priority 400.
semodule --hll -E wireshark --cil -E wireshark -X 400 --cil -E puppet
Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2015-08-06 14:30:14 +00:00
|
|
|
priority_set = 1;
|
semodule: add priority, enabled, and extended listing
This updates the semodule tool with the ability to set the priority for
commands, to enable/disable modules, and extended module listing options
for displaying extra module information (e.g., priority, enabled status,
and language extension).
[semodule priority]
-X --priority set the priority for following operations
Notes:
* This sets the priority for the following operations.
* It can be used any number of times with its effect continuing until
the next priority is specified.
* The default priority is used if no priority has yet been specified.
Impact on current operations:
* Install module
* Without priority - Install at default priority.
* With priority - Install at specified priority.
* New warning when overriding (issued by libsemanage).
* Upgrade module
* Without priority - Upgrade at default priority (current upgrade
semantics apply).
* With priority - Upgrade at specified priority (current upgrade
semantics apply).
* New warning when overriding (issued by libsemanage).
* Remove module
* Without priority - Remove a module at the default if exists.
* With priority - Remove at that priority.
* New info messages (issued by libsemanage):
* If no modules exist at the given priority but do exist at other
priorities, give an info message listing the modules and priority.
* If a new module at a lower priority will become active print a
message.
* If the last module with this name is being removed print a
message.
* Base
* The name of base module on install is fixed to "_base" (performed by
libsemanage).
* Without priority - Install at default priority.
* With priority - Install at specified priority.
* New warning when overriding (issued by libsemanage).
* List modules
* See listing changes below.
Examples:
semodule -i foo.pp
semodule -X 500 -i foo.pp
[semodule enable/disable]
Add enable/disable status:
-e --enable enable the module (at all priorities)
-d --disable disable the module (at all priorities)
Notes:
* Base modules are always enabled and cannot have their enabled/disabled
status changed.
* New error when disabling a base module (from libsemanage).
* New warning when enabling a base module (from libsemanage).
Impact on current operations:
* Install module
* If a module with that name is already installed, then the enabled
status will remain the same after installing the new module.
* New warning when installing a module which will be disabled by
existing enabled status (from libsemanage).
* Upgrade module
* If a module with that name is already installed, then the enabled
status will remain the same after installing the new module.
* New warning when installing a module which will be disabled by
existing enabled status (from libsemanage).
* Remove module
* When the last module with a given name is removed (no more exist at
other priorities) then the enabled status is forgotten.
* Base
* Base modules are always installed enabled and remain so (can't be
disabled).
* List modules
* See listing changes below.
Examples:
semodule -e foo
semodule -d foo
[semodule list]
-l --list list modules as if by -lstandard
-lstandard --list=standard list name and version of highest priority,
enabled, non-base modules sorted alphabetical
by name
-lfull --list=full list all fields of all modules columnated
sorted high priority to low, within priority
alphabetical by name
Impact on current operations:
* List modules
* Default listing stays the same.
* New long options for 'standard' and 'full'.
Examples:
semodule -l
semodule -lstandard
semodule --list=standard
alsa 1.7.1
apm 1.9.1
apt 1.5.2
authlogin 2.0.0
avahi 1.10.3
bluetooth 3.1.3
...
semodule -lfull
semodule --list=full
600 alsa 1.7.1 disabled pp
400 _base 1.0.0 pp
400 alsa 1.7.1 disabled pp
400 apm 1.9.1 pp
400 apt 1.5.2 pp
400 authlogin 2.0.0 pp
...
100 alsa 1.7.1 disabled pp
Signed-off-by: Chad Sellers <csellers@tresys.com>
2009-12-23 23:25:59 +00:00
|
|
|
|
|
|
|
if ((result = semanage_set_default_priority(sh, priority)) != 0) {
|
|
|
|
fprintf(stderr,
|
|
|
|
"%s: Invalid priority %d (needs to be between 1 and 999)\n",
|
|
|
|
argv[0],
|
|
|
|
priority);
|
|
|
|
goto cleanup;
|
|
|
|
}
|
|
|
|
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
case ENABLE_M:{
|
|
|
|
if (verbose) {
|
|
|
|
printf
|
|
|
|
("Attempting to enable module '%s':\n",
|
|
|
|
mode_arg);
|
|
|
|
}
|
|
|
|
|
|
|
|
semanage_module_key_t *modkey = NULL;
|
|
|
|
|
|
|
|
result = semanage_module_key_create(sh, &modkey);
|
|
|
|
if (result != 0) goto cleanup_enable;
|
|
|
|
|
|
|
|
result = semanage_module_key_set_name(sh, modkey, mode_arg);
|
|
|
|
if (result != 0) goto cleanup_enable;
|
|
|
|
|
|
|
|
result = semanage_module_set_enabled(sh, modkey, 1);
|
|
|
|
if (result != 0) goto cleanup_enable;
|
|
|
|
|
|
|
|
cleanup_enable:
|
|
|
|
semanage_module_key_destroy(sh, modkey);
|
|
|
|
free(modkey);
|
|
|
|
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
case DISABLE_M:{
|
|
|
|
if (verbose) {
|
|
|
|
printf
|
|
|
|
("Attempting to disable module '%s':\n",
|
|
|
|
mode_arg);
|
|
|
|
}
|
|
|
|
|
|
|
|
semanage_module_key_t *modkey = NULL;
|
|
|
|
|
|
|
|
result = semanage_module_key_create(sh, &modkey);
|
|
|
|
if (result != 0) goto cleanup_disable;
|
|
|
|
|
|
|
|
result = semanage_module_key_set_name(sh, modkey, mode_arg);
|
|
|
|
if (result != 0) goto cleanup_disable;
|
|
|
|
|
|
|
|
result = semanage_module_set_enabled(sh, modkey, 0);
|
|
|
|
if (result != 0) goto cleanup_disable;
|
|
|
|
|
|
|
|
cleanup_disable:
|
|
|
|
semanage_module_key_destroy(sh, modkey);
|
|
|
|
free(modkey);
|
|
|
|
|
2008-08-19 19:30:36 +00:00
|
|
|
break;
|
|
|
|
}
|
|
|
|
default:{
|
|
|
|
fprintf(stderr,
|
|
|
|
"%s: Unknown mode specified.\n",
|
|
|
|
argv[0]);
|
|
|
|
usage(argv[0]);
|
|
|
|
goto cleanup;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
commit += do_commit[mode];
|
|
|
|
if (result < 0) {
|
|
|
|
fprintf(stderr, "%s: Failed on %s!\n", argv[0],
|
|
|
|
mode_arg ? : "list");
|
|
|
|
goto cleanup;
|
|
|
|
} else if (verbose) {
|
|
|
|
printf("Ok: return value of %d.\n", result);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if (commit) {
|
|
|
|
if (verbose)
|
|
|
|
printf("Committing changes:\n");
|
|
|
|
if (no_reload)
|
|
|
|
semanage_set_reload(sh, 0);
|
|
|
|
if (build)
|
|
|
|
semanage_set_rebuild(sh, 1);
|
|
|
|
if (disable_dontaudit)
|
|
|
|
semanage_set_disable_dontaudit(sh, 1);
|
2009-07-06 18:01:01 +00:00
|
|
|
else if (build)
|
|
|
|
semanage_set_disable_dontaudit(sh, 0);
|
2011-09-01 03:29:46 +00:00
|
|
|
if (preserve_tunables)
|
|
|
|
semanage_set_preserve_tunables(sh, 1);
|
2014-02-27 16:56:34 +00:00
|
|
|
if (ignore_module_cache)
|
|
|
|
semanage_set_ignore_module_cache(sh, 1);
|
2009-07-06 18:01:01 +00:00
|
|
|
|
2008-08-19 19:30:36 +00:00
|
|
|
result = semanage_commit(sh);
|
|
|
|
}
|
|
|
|
|
|
|
|
if (result < 0) {
|
|
|
|
fprintf(stderr, "%s: Failed!\n", argv[0]);
|
|
|
|
goto cleanup;
|
|
|
|
} else if (commit && verbose) {
|
|
|
|
printf("Ok: transaction number %d.\n", result);
|
|
|
|
}
|
|
|
|
|
|
|
|
if (semanage_disconnect(sh) < 0) {
|
|
|
|
fprintf(stderr, "%s: Error disconnecting\n", argv[0]);
|
|
|
|
goto cleanup;
|
|
|
|
}
|
|
|
|
status = EXIT_SUCCESS;
|
|
|
|
|
|
|
|
cleanup:
|
|
|
|
if (semanage_is_connected(sh)) {
|
|
|
|
if (semanage_disconnect(sh) < 0) {
|
|
|
|
fprintf(stderr, "%s: Error disconnecting\n", argv[0]);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
semanage_handle_destroy(sh);
|
|
|
|
|
|
|
|
cleanup_nohandle:
|
|
|
|
cleanup();
|
|
|
|
exit(status);
|
|
|
|
}
|