policycoreutils: semanage: option to not load new policy into kernel after changes

Add -N, --noreload option to semanage to prevent reloading policy into the kernel after a change. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Dan Walsh <dwalsh@redhat.com>
2025-03-31 07:56:22 +00:00 · 2012-05-08 08:37:45 -04:00 · 2012-05-08 08:37:45 -04:00 · e5962bb179
commit e5962bb179
parent cf87e75d45
3 changed files with 55 additions and 35 deletions
--- a/policycoreutils/semanage/semanage
+++ b/policycoreutils/semanage/semanage
@ -41,6 +41,7 @@ except IOError:
 if __name__ == '__main__':
 	manageditems=[ "boolean", "login", "user", "port", "interface", "node", "fcontext"]
 	action  = False
+	load = True
 	def set_action(option):
 		global action
 		if action:
@ -52,16 +53,16 @@ if __name__ == '__main__':
 semanage [ -S store ] -i [ input_file | - ]
 semanage [ -S store ] -o [ output_file | - ]

-semanage login -{a|d|m|l|D|E} [-nsr] login_name | %groupname
-semanage user -{a|d|m|l|D|E} [-LnrRP] selinux_name
-semanage port -{a|d|m|l|D|E} [-ntr] [ -p proto ] port | port_range
-semanage interface -{a|d|m|l|D|E} [-ntr] interface_spec
-semanage module -{a|d|m} [--enable|--disable] module
-semanage node -{a|d|m|l|D|E} [-ntr] [ -p protocol ] [-M netmask] addr
-semanage fcontext -{a|d|m|l|D|E} [-efnrst] file_spec
-semanage boolean -{d|m} [--on|--off|-1|-0] -F boolean | boolean_file
-semanage permissive -{d|a|l} [-n] type
-semanage dontaudit [ on | off ]
+semanage login -{a|d|m|l|D|E} [-Nnsr] login_name | %groupname
+semanage user -{a|d|m|l|D|E} [-LNnrRP] selinux_name
+semanage port -{a|d|m|l|D|E} [-Nntr] [ -p proto ] port | port_range
+semanage interface -{a|d|m|l|D|E} [-Nntr] interface_spec
+semanage module -{a|d|m} [--enable|--disable] [-N] module
+semanage node -{a|d|m|l|D|E} [-Nntr] [ -p protocol ] [-M netmask] addr
+semanage fcontext -{a|d|m|l|D|E} [-Nefnrst] file_spec
+semanage boolean -{d|m} [--on|--off|-1|-0] [-N] -F boolean | boolean_file
+semanage permissive -{d|a|l} [-Nn] type
+semanage dontaudit [ on | off ] [-N]

 Primary Options:

@ -94,6 +95,7 @@ Object-specific Options (see above):
        -F, --file       Treat target as an input file for command, change multiple settings
 	-p, --proto      Port protocol (tcp or udp) or internet protocol version of node (ipv4 or ipv6)
 	-M, --mask       Netmask
+	-N, --noreload   Do not reload policy after commit
 	-e, --equal      Substitue source path for dest path when labeling
 	-P, --prefix     Prefix for home directory labeling
 	-L, --level      Default SELinux Level (MLS/MCS Systems only)
@ -115,26 +117,26 @@ Object-specific Options (see above):
 	def get_options():
 		valid_option={}
 		valid_everyone=[ '-a', '--add', '-d', '--delete', '-m', '--modify', '-l', '--list', '-h', '--help', '-n', '--noheading', '-S', '--store' ]
-		valid_local=[ '-E', '--extract', '-C', '--locallist', '-D', '--deleteall']
+		valid_local=[ '-E', '--extract', '-C', '--locallist', '-D', '--deleteall', '-N', '--noreload']
 		valid_option["login"] = []
 		valid_option["login"] += valid_everyone + valid_local + [ '-s', '--seuser', '-r', '--range']
 		valid_option["user"] = []
-		valid_option["user"] += valid_everyone + valid_local + [ '-L', '--level', '-r', '--range', '-R', '--roles', '-P', '--prefix' ]
+		valid_option["user"] += valid_everyone + valid_local + [ '-L', '--level', '-r', '--range', '-R', '--roles', '-P', '--prefix', '-N', '--noreload' ]
 		valid_option["port"] = []
-		valid_option["port"] += valid_everyone + valid_local + [ '-t', '--type', '-r', '--range', '-p', '--proto' ]
+		valid_option["port"] += valid_everyone + valid_local + [ '-t', '--type', '-r', '--range', '-p', '--proto' , '-N', '--noreload' ]
 		valid_option["interface"] = []
-		valid_option["interface"] += valid_everyone + valid_local + [ '-t', '--type', '-r', '--range']
+		valid_option["interface"] += valid_everyone + valid_local + [ '-t', '--type', '-r', '--range', '-N', '--noreload' ]
 		valid_option["node"] = []
-		valid_option["node"] += valid_everyone + valid_local + [ '-M', '--mask', '-t', '--type', '-r', '--range', '-p', '--protocol']
+		valid_option["node"] += valid_everyone + valid_local + [ '-M', '--mask', '-t', '--type', '-r', '--range', '-p', '--protocol', '-N', '--noreload' ]
 		valid_option["module"] = []
-		valid_option["module"] += valid_everyone + [ '--enable', '--disable']
+		valid_option["module"] += valid_everyone + [ '--enable', '--disable', '-N', '--noreload' ]
 		valid_option["fcontext"] = []
-		valid_option["fcontext"] += valid_everyone + valid_local + [ '-e', '--equal', '-f', '--ftype', '-s', '--seuser',  '-t', '--type', '-r', '--range']
+		valid_option["fcontext"] += valid_everyone + valid_local + [ '-e', '--equal', '-f', '--ftype', '-s', '--seuser',  '-t', '--type', '-r', '--range', '-N', '--noreload' ]
 		valid_option["dontaudit"] = [ '-S', '--store' ]
 		valid_option["boolean"] = []
-		valid_option["boolean"] += valid_everyone + valid_local + [ '--on', "--off", "-1", "-0", "-F", "--file"]
+		valid_option["boolean"] += valid_everyone + valid_local + [ '--on', "--off", "-1", "-0", "-F", "--file", '-N', '--noreload' ]
 		valid_option["permissive"] = []
-		valid_option["permissive"] += [ '-a', '--add', '-d', '--delete', '-l', '--list', '-h', '--help', '-n', '--noheading', '-D', '--deleteall' ]
+		valid_option["permissive"] += [ '-a', '--add', '-d', '--delete', '-l', '--list', '-h', '--help', '-n', '--noheading', '-D', '--deleteall' , '-N', '--noreload' ]
 		return valid_option

        def mkargv(line):
@ -185,6 +187,7 @@ Object-specific Options (see above):

        def process_args(argv):
 		global action
+		global load
 		action = False
 		serange = ""
 		port = ""
@ -222,7 +225,7 @@ Object-specific Options (see above):

 		try:
 			gopts, cmds = getopt.getopt(args,
-						    '01adEe:f:i:lhmnp:s:FCDR:L:r:t:P:S:M:',
+						    '01adEe:f:i:lhmNnp:s:FCDR:L:r:t:P:S:M:',
 						    ['add',
 						     'delete',
 						     'deleteall',
@ -237,6 +240,7 @@ Object-specific Options (see above):
 						     'list',
 						     'modify',
 						     'noheading',
+						     'noreload',
 						     'off',
 						     'on',
 						     'proto=',
@ -296,6 +300,9 @@ Object-specific Options (see above):
 			if o == "-n" or o == "--noheading":
 				heading = False

+			if o == "-N" or o == "--noreload":
+				load = False
+
 			if o == "-C" or o == "--locallist":
 				locallist = True

@ -380,9 +387,10 @@ Object-specific Options (see above):
                               OBJECT.list(heading, locallist)
                        return
 			
+		OBJECT.set_reload(load)
 		if deleteall:
 			OBJECT.deleteall()
-                        return
+			return
 			
 		if extract:
 			for i in OBJECT.customized():
@ -504,7 +512,7 @@ Object-specific Options (see above):
                      usage(_("Requires 2 or more arguments"))
                
               gopts, cmds = getopt.getopt(sys.argv[1:],
-                                           '01adf:i:lhmno:p:s:FCDR:L:r:t:P:S:',
+                                           '01adf:i:lhmno:p:s:NFCDR:L:r:t:P:S:',
                                           ['add',
                                            'delete',
                                            'deleteall',
@ -515,6 +523,7 @@ Object-specific Options (see above):
                                            'list', 
                                            'modify',
                                            'noheading',
+                                            'noreload',
                                            'off', 
                                            'on', 
                                            'output=',
@ -534,6 +543,8 @@ Object-specific Options (see above):
                             input = a
                      if o == "-o" or o == '--output':
                             output = a
+                      if o == "-N" or o == "--noreload":
+                             load = False

               if output != None:
                      if output != "-":
@ -552,6 +563,7 @@ Object-specific Options (see above):
                      trans.start()
                      for l in fd.readlines():
                             process_args(mkargv(l))
+                      trans.set_reload(load)
                      trans.finish()
               else:
                      process_args(sys.argv[1:])
--- a/policycoreutils/semanage/semanage.8
+++ b/policycoreutils/semanage/semanage.8
@ -14,58 +14,58 @@ Input local customizations
 Manage booleans.  Booleans allow the administrator to modify the confinement of
 processes based on his configuration.
 .br
-.B semanage boolean [\-S store] \-{d|m|l|D} [\-n] [\-\-on|\-\-off|\-\1|\-0] -F boolean | boolean_file
+.B semanage boolean [\-S store] \-{d|m|l|D} [\-nN] [\-\-on|\-\-off|\-\1|\-0] -F boolean | boolean_file

 Manage SELinux confined users (Roles and levels for an SELinux user)
 .br
-.B semanage user [\-S store] \-{a|d|m|l|D} [\-LnPrR] selinux_name
+.B semanage user [\-S store] \-{a|d|m|l|D} [\-LnNPrR] selinux_name

 Manage login mappings between linux users and SELinux confined users.
 .br
-.B semanage login [\-S store] \-{a|d|m|l|D} [\-nrs] login_name | %groupname
+.B semanage login [\-S store] \-{a|d|m|l|D} [\-nNrs] login_name | %groupname

 Manage policy modules.
 .br
-.B semanage module [\-S store] \-{a|d|l} [-m [--enable | --disable] ] module_name
+.B semanage module [\-S store] \-{a|d|l} [-m [--enable | --disable] ] [\-N] module_name

 Manage network port type definitions
 .br
-.B semanage port [\-S store] \-{a|d|m|l|D} [\-nrt] [\-p proto] port | port_range
+.B semanage port [\-S store] \-{a|d|m|l|D} [\-nNrt] [\-p proto] port | port_range
 .br

 Manage network interface type definitions
 .br
-.B semanage interface [\-S store] \-{a|d|m|l|D} [\-nrt] interface_spec
+.B semanage interface [\-S store] \-{a|d|m|l|D} [\-nNrt] interface_spec

 Manage network node type definitions
 .br
-.B semanage node [\-S store] -{a|d|m|l|D} [-nrt] [ -p protocol ] [-M netmask] address
+.B semanage node [\-S store] -{a|d|m|l|D} [-nNrt] [ -p protocol ] [-M netmask] address
 .br

 Manage file context mapping definitions
 .br
 .B semanage fcontext [\-S store] \-{l} [\-Cn]
 .br
-.B semanage fcontext [\-S store] \-D
+.B semanage fcontext [\-S store] \-D [\-N]
 .br
-.B semanage fcontext [\-S store] \-{a|d|m} [\-frst] file_spec
+.B semanage fcontext [\-S store] \-{a|d|m} [\-Nfrst] file_spec
 .br
 .B semanage fcontext [\-S store] \-{a|d|m} \-e replacement target
 .br

 Manage processes type enforcement mode
 .br
-.B semanage permissive [\-S store] \-{a|d|l|D} [\-n] type
+.B semanage permissive [\-S store] \-{a|d|l|D} [\-nN] type
 .br

 Disable/Enable dontaudit rules in policy
 .br
-.B semanage dontaudit [\-S store] [ on | off ]
+.B semanage dontaudit [\-N] [\-S store] [ on | off ]
 .P

 Execute multiple commands within a single transaction.
 .br
-.B semanage [\-S store] \-i command-file
+.B semanage [\-S store] [\-N] \-i command-file
 .br

 .SH "DESCRIPTION"
@ -143,6 +143,9 @@ Network Mask
 .I                \-n, \-\-noheading  
 Do not print heading when listing OBJECTS.
 .TP
+.B  \-N,\-\-noreload
+do not reload policy after commit
+.TP
 .I                \-p, \-\-proto
 Protocol for the specified port (tcp|udp) or internet protocol version for the specified node (ipv4|ipv6).
 .TP
--- a/policycoreutils/semanage/seobject.py
+++ b/policycoreutils/semanage/seobject.py
@ -203,7 +203,7 @@ class semanageRecords:
        store = None
        def __init__(self, store):
               global handle
-
+	       self.load = True
               self.sh = self.get_handle(store)

 	       rc, localstore = selinux.selinux_getpolicytype()
@ -212,6 +212,9 @@ class semanageRecords:
 	       else:
 		       self.mylog = nulllogger()	

+	def set_reload(self, load):
+	       self.load = load
+
        def get_handle(self, store):
 		global is_mls_enabled

@ -269,6 +272,8 @@ class semanageRecords:
        def commit(self):
 		if semanageRecords.transaction:
 			return
+
+		semanage_set_reload(self.sh, self.load)
 		rc = semanage_commit(self.sh) 
 		if rc < 0:
 			self.mylog.commit(0)