checkpolicy: allow to write policy to stdout

If - is given as filename for -o option, checkpolicy writes the policy to standard output. This helps users to read policy.conf and/or CIL policy file with pager like less command: $ checkpolicy -M -F -b /sys/fs/selinux/policy -o - | less The users don't have to make a temporary file. /dev/stdout can be used instead. However, - reduces the number of typing for the purpose. Using - for standard output (and/or standard input) is popular convention. Change(s) in v2: * Check the availability of output stream only when opening a regualar file. Suggested by Stephen Smalley <sds@tycho.nsa.gov>. Signed-off-by: Masatake YAMATO <yamato@redhat.com>
2019-10-19 19:26:56 +09:00 · 2019-10-19 19:26:56 +09:00 · 9be4e7454d
parent b8455f774a
commit 9be4e7454d
2 changed files with 18 additions and 9 deletions
--- a/checkpolicy/checkpolicy.8
+++ b/checkpolicy/checkpolicy.8
@ -3,7 +3,7 @@
 checkpolicy \- SELinux policy compiler
 .SH SYNOPSIS
 .B checkpolicy
-.I "[\-b[F]] [\-C] [\-d] [\-U handle_unknown (allow,deny,reject)] [\-M] [\-c policyvers] [\-o output_file] [\-S] [\-t target_platform (selinux,xen)] [\-V] [input_file]"
+.I "[\-b[F]] [\-C] [\-d] [\-U handle_unknown (allow,deny,reject)] [\-M] [\-c policyvers] [\-o output_file|\-] [\-S] [\-t target_platform (selinux,xen)] [\-V] [input_file]"
 .br
 .SH "DESCRIPTION"
 This manual page describes the
@ -41,7 +41,8 @@ Specify the policy version, defaults to the latest.
 .TP
 .B \-o,\-\-output filename
 Write a policy file (binary, policy.conf, or CIL policy)
-to the specified filename.
+to the specified filename. If - is given as filename,
+write it to standard output.
 .TP
 .B \-S,\-\-sort
 Sort ocontexts before writing out the binary policy. This option makes output of checkpolicy consistent with binary policies created by semanage and secilc.
--- a/checkpolicy/checkpolicy.c
+++ b/checkpolicy/checkpolicy.c
@ -112,7 +112,7 @@ static __attribute__((__noreturn__)) void usage(const char *progname)
 {
 	printf
 	    ("usage:  %s [-b[F]] [-C] [-d] [-U handle_unknown (allow,deny,reject)] [-M] "
-	     "[-c policyvers (%d-%d)] [-o output_file] [-S] "
+	     "[-c policyvers (%d-%d)] [-o output_file|-] [-S] "
 	     "[-t target_platform (selinux,xen)] [-V] [input_file]\n",
 	     progname, POLICYDB_VERSION_MIN, POLICYDB_VERSION_MAX);
 	exit(1);
@ -390,7 +390,8 @@ int main(int argc, char **argv)
 	struct sepol_av_decision avd;
 	class_datum_t *cladatum;
 	const char *file = txtfile;
-	char ans[80 + 1], *outfile = NULL, *path, *fstype;
+	char ans[80 + 1], *path, *fstype;
+	const char *outfile = NULL;
 	size_t scontext_len, pathlen;
 	unsigned int i;
 	unsigned int protocol, port;
@ -638,10 +639,15 @@ int main(int argc, char **argv)
 	}

 	if (outfile) {
-		outfp = fopen(outfile, "w");
-		if (!outfp) {
-			perror(outfile);
-			exit(1);
+		if (!strcmp(outfile, "-")) {
+			outfp = stdout;
+			outfile = "<STDOUT>";
+		} else {
+			outfp = fopen(outfile, "w");
+			if (!outfp) {
+				perror(outfile);
+				exit(1);
+			}
 		}

 		policydb.policyvers = policyvers;
@ -682,7 +688,9 @@ int main(int argc, char **argv)
 			}
 		}

-		fclose(outfp);
+		if (outfp != stdout) {
+			fclose(outfp);
+		}
 	} else if (cil) {
 		fprintf(stderr, "%s:  No file to write CIL was specified\n", argv[0]);
 		exit(1);