| Message ID | 20191008064500.8651-1-yamato@redhat.com (mailing list archive) |
|---|---|
| Headers | show |
| Series | dispol: add batch execution mode | expand |
On 10/8/19 2:44 AM, Masatake YAMATO wrote: > dispol command requires interaction, and is not suitable for using > in a script. This patch set introduces -b that is for running > dispol in non-interactively. > > An example: > > $ ./dispol -b 1 /sys/fs/selinux/policy > allow deltacloudd_log_t tmp_t : filesystem { associate }; > allow kern_unconfined sysctl_type : lnk_file { ioctl read ... What is your intended use case for this support, i.e. how do you envision using dispol in scripts? If you just want to decompile policy, I'd recommend using checkpolicy -F/--conf or checkpolicy -c/--cil, ala: checkpolicy -M -b /sys/fs/selinux/policy -F -o policy.conf or checkpolicy -M -b /sys/fs/selinux/policy -C -o policy.cil > ... > > Masatake YAMATO (5): > dispol: extend usage() to take exit status > dispol: add an option for printing the command usage > dispol: introduce a local variable representing the input file > dispol: introduce -b option to run commands in batch > dispol: add the list of commands for batch mode to help message > > checkpolicy/test/dispol.c | 96 ++++++++++++++++++++++++++++----------- > 1 file changed, 69 insertions(+), 27 deletions(-) >
On 10/8/19 8:48 AM, Stephen Smalley wrote: > On 10/8/19 2:44 AM, Masatake YAMATO wrote: >> dispol command requires interaction, and is not suitable for using >> in a script. This patch set introduces -b that is for running >> dispol in non-interactively. >> >> An example: >> >> $ ./dispol -b 1 /sys/fs/selinux/policy >> allow deltacloudd_log_t tmp_t : filesystem { associate }; >> allow kern_unconfined sysctl_type : lnk_file { ioctl read ... > > What is your intended use case for this support, i.e. how do you > envision using dispol in scripts? > > If you just want to decompile policy, I'd recommend using checkpolicy > -F/--conf or checkpolicy -c/--cil, ala: > checkpolicy -M -b /sys/fs/selinux/policy -F -o policy.conf > or > checkpolicy -M -b /sys/fs/selinux/policy -C -o policy.cil Or you could just use sesearch -A if you wanted to just dump all allow rules, for example, or seinfo -b for all booleans, ... dispol/dismod have always just been test/debug/developer utilities and predated the ability to decompile policies with checkpolicy, so I'm not sure if they are even still useful to keep around. Is anyone still using them? > >> ... >> >> Masatake YAMATO (5): >> dispol: extend usage() to take exit status >> dispol: add an option for printing the command usage >> dispol: introduce a local variable representing the input file >> dispol: introduce -b option to run commands in batch >> dispol: add the list of commands for batch mode to help message >> >> checkpolicy/test/dispol.c | 96 ++++++++++++++++++++++++++++----------- >> 1 file changed, 69 insertions(+), 27 deletions(-) >> >
On Tue, 8 Oct 2019 10:31:37 -0400, Stephen Smalley <sds@tycho.nsa.gov> wrote: > On 10/8/19 8:48 AM, Stephen Smalley wrote: >> On 10/8/19 2:44 AM, Masatake YAMATO wrote: >>> dispol command requires interaction, and is not suitable for using >>> in a script. This patch set introduces -b that is for running >>> dispol in non-interactively. >>> >>> An example: >>> >>> $ ./dispol -b 1 /sys/fs/selinux/policy >>> allow deltacloudd_log_t tmp_t : filesystem { associate }; >>> allow kern_unconfined sysctl_type : lnk_file { ioctl read ... >> What is your intended use case for this support, i.e. how do you >> envision using dispol in scripts? >> If you just want to decompile policy, I'd recommend using checkpolicy >> -F/--conf or checkpolicy -c/--cil, ala: >> checkpolicy -M -b /sys/fs/selinux/policy -F -o policy.conf >> or >> checkpolicy -M -b /sys/fs/selinux/policy -C -o policy.cil > > Or you could just use sesearch -A if you wanted to just dump all allow > rules, for example, or seinfo -b for all booleans, ... > > dispol/dismod have always just been test/debug/developer utilities and > predated the ability to decompile policies with checkpolicy, so I'm > not sure if they are even still useful to keep around. Is anyone > still using them? Thank you for the comment. I didn't know that checkpolicy can be used for decompiling policies. I read checkpolicy.8, and I found what I want is the way to write decompiled policies to standard output. So I can read the result with less command, or filter with grep. I frequently do the similar with objdump. I would like to withdraw the patches about dispol. Instead, I proposed '-o -' for writing decompiled policies to standard output in another mail-thread. Could you review the proposal? Masatake YAMATO >> >>> ... >>> >>> Masatake YAMATO (5): >>> dispol: extend usage() to take exit status >>> dispol: add an option for printing the command usage >>> dispol: introduce a local variable representing the input file >>> dispol: introduce -b option to run commands in batch >>> dispol: add the list of commands for batch mode to help message >>> >>> checkpolicy/test/dispol.c | 96 >>> ++++++++++++++++++++++++++++----------- >>> 1 file changed, 69 insertions(+), 27 deletions(-) >>> >> >
dispol command requires interaction, and is not suitable for using in a script. This patch set introduces -b that is for running dispol in non-interactively. An example: $ ./dispol -b 1 /sys/fs/selinux/policy allow deltacloudd_log_t tmp_t : filesystem { associate }; allow kern_unconfined sysctl_type : lnk_file { ioctl read ... ... Masatake YAMATO (5): dispol: extend usage() to take exit status dispol: add an option for printing the command usage dispol: introduce a local variable representing the input file dispol: introduce -b option to run commands in batch dispol: add the list of commands for batch mode to help message checkpolicy/test/dispol.c | 96 ++++++++++++++++++++++++++++----------- 1 file changed, 69 insertions(+), 27 deletions(-)