| Message ID | 20220608170954.114668-2-omosnace@redhat.com (mailing list archive) |
|---|---|
| State | Accepted |
| Commit | bdbe52be1bfb |
| Headers | show |
| Series | Refine semantics of libsemanage's check_ext_changes | expand |
On Wed, Jun 8, 2022 at 7:23 PM Ondrej Mosnacek <omosnace@redhat.com> wrote: > > For the use case of rebuilding the policy afte package updates, we need > the check_ext_changes operation to always do at least the do_write_kernel > step, because the various semanage dbs may have also changed content > relative to the current binary policy. As this step is itself relatively > fast, we can do it unconditionally. > > Fixes: 286a679fadc4 ("libsemanage: optionally rebuild policy when modules are changed externally") > Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> Hello, This patch and the next one ("semodule: rename --rebuild-if-modules-changed to --refresh") look good to me. Has anyone also taken a look at them? If nobody objects, I will merge it tomorrow, with a small misspelling fix in the commit message (afte -> after). Acked-by: Nicolas Iooss <nicolas.iooss@m4x.org> Thanks, Nicolas > --- > libsemanage/include/semanage/handle.h | 2 +- > libsemanage/src/direct_api.c | 8 +++++--- > 2 files changed, 6 insertions(+), 4 deletions(-) > > diff --git a/libsemanage/include/semanage/handle.h b/libsemanage/include/semanage/handle.h > index 0157be4f..4cf30815 100644 > --- a/libsemanage/include/semanage/handle.h > +++ b/libsemanage/include/semanage/handle.h > @@ -67,7 +67,7 @@ extern void semanage_set_reload(semanage_handle_t * handle, int do_reload); > extern void semanage_set_rebuild(semanage_handle_t * handle, int do_rebuild); > > /* set whether to rebuild the policy on commit when potential changes > - * to module files since last rebuild are detected, > + * to store files since last rebuild are detected, > * 1 for yes (default), 0 for no */ > extern void semanage_set_check_ext_changes(semanage_handle_t * handle, int do_check); > > diff --git a/libsemanage/src/direct_api.c b/libsemanage/src/direct_api.c > index 7206483a..7aa081ab 100644 > --- a/libsemanage/src/direct_api.c > +++ b/libsemanage/src/direct_api.c > @@ -1437,13 +1437,15 @@ static int semanage_direct_commit(semanage_handle_t * sh) > * Determine what else needs to be done. > * We need to write the kernel policy if we are rebuilding > * or if any other policy component that lives in the kernel > - * policy has been modified. > + * policy has been modified. We also want to force it when > + * check_ext_changes was specified as the various dbases may have > + * changes as well. > * We need to install the policy files if any of the managed files > * that live under /etc/selinux (kernel policy, seusers, file contexts) > * will be modified. > */ > - do_write_kernel = do_rebuild | ports_modified | ibpkeys_modified | > - ibendports_modified | > + do_write_kernel = do_rebuild | sh->check_ext_changes | > + ports_modified | ibpkeys_modified | ibendports_modified | > bools->dtable->is_modified(bools->dbase) | > ifaces->dtable->is_modified(ifaces->dbase) | > nodes->dtable->is_modified(nodes->dbase) | > -- > 2.36.1 >
On Tue, Jun 28, 2022 at 5:08 PM Nicolas Iooss <nicolas.iooss@m4x.org> wrote: > > On Wed, Jun 8, 2022 at 7:23 PM Ondrej Mosnacek <omosnace@redhat.com> wrote: > > > > For the use case of rebuilding the policy afte package updates, we need > > the check_ext_changes operation to always do at least the do_write_kernel > > step, because the various semanage dbs may have also changed content > > relative to the current binary policy. As this step is itself relatively > > fast, we can do it unconditionally. > > > > Fixes: 286a679fadc4 ("libsemanage: optionally rebuild policy when modules are changed externally") > > Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> > > Hello, > This patch and the next one ("semodule: rename > --rebuild-if-modules-changed to --refresh") look good to me. Has > anyone also taken a look at them? > > If nobody objects, I will merge it tomorrow, with a small misspelling > fix in the commit message (afte -> after). > These look good to me as well. Thanks, Jim > Acked-by: Nicolas Iooss <nicolas.iooss@m4x.org> > > Thanks, > Nicolas > > > --- > > libsemanage/include/semanage/handle.h | 2 +- > > libsemanage/src/direct_api.c | 8 +++++--- > > 2 files changed, 6 insertions(+), 4 deletions(-) > > > > diff --git a/libsemanage/include/semanage/handle.h b/libsemanage/include/semanage/handle.h > > index 0157be4f..4cf30815 100644 > > --- a/libsemanage/include/semanage/handle.h > > +++ b/libsemanage/include/semanage/handle.h > > @@ -67,7 +67,7 @@ extern void semanage_set_reload(semanage_handle_t * handle, int do_reload); > > extern void semanage_set_rebuild(semanage_handle_t * handle, int do_rebuild); > > > > /* set whether to rebuild the policy on commit when potential changes > > - * to module files since last rebuild are detected, > > + * to store files since last rebuild are detected, > > * 1 for yes (default), 0 for no */ > > extern void semanage_set_check_ext_changes(semanage_handle_t * handle, int do_check); > > > > diff --git a/libsemanage/src/direct_api.c b/libsemanage/src/direct_api.c > > index 7206483a..7aa081ab 100644 > > --- a/libsemanage/src/direct_api.c > > +++ b/libsemanage/src/direct_api.c > > @@ -1437,13 +1437,15 @@ static int semanage_direct_commit(semanage_handle_t * sh) > > * Determine what else needs to be done. > > * We need to write the kernel policy if we are rebuilding > > * or if any other policy component that lives in the kernel > > - * policy has been modified. > > + * policy has been modified. We also want to force it when > > + * check_ext_changes was specified as the various dbases may have > > + * changes as well. > > * We need to install the policy files if any of the managed files > > * that live under /etc/selinux (kernel policy, seusers, file contexts) > > * will be modified. > > */ > > - do_write_kernel = do_rebuild | ports_modified | ibpkeys_modified | > > - ibendports_modified | > > + do_write_kernel = do_rebuild | sh->check_ext_changes | > > + ports_modified | ibpkeys_modified | ibendports_modified | > > bools->dtable->is_modified(bools->dbase) | > > ifaces->dtable->is_modified(ifaces->dbase) | > > nodes->dtable->is_modified(nodes->dbase) | > > -- > > 2.36.1 > > >
On Wed, Jun 29, 2022 at 6:55 PM James Carter <jwcart2@gmail.com> wrote: > > On Tue, Jun 28, 2022 at 5:08 PM Nicolas Iooss <nicolas.iooss@m4x.org> wrote: > > > > On Wed, Jun 8, 2022 at 7:23 PM Ondrej Mosnacek <omosnace@redhat.com> wrote: > > > > > > For the use case of rebuilding the policy afte package updates, we need > > > the check_ext_changes operation to always do at least the do_write_kernel > > > step, because the various semanage dbs may have also changed content > > > relative to the current binary policy. As this step is itself relatively > > > fast, we can do it unconditionally. > > > > > > Fixes: 286a679fadc4 ("libsemanage: optionally rebuild policy when modules are changed externally") > > > Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> > > > > Hello, > > This patch and the next one ("semodule: rename > > --rebuild-if-modules-changed to --refresh") look good to me. Has > > anyone also taken a look at them? > > > > If nobody objects, I will merge it tomorrow, with a small misspelling > > fix in the commit message (afte -> after). > > > > These look good to me as well. > Thanks, > Jim Thanks. I merged both patches. Nicolas > > Acked-by: Nicolas Iooss <nicolas.iooss@m4x.org> > > > > Thanks, > > Nicolas > > > > > --- > > > libsemanage/include/semanage/handle.h | 2 +- > > > libsemanage/src/direct_api.c | 8 +++++--- > > > 2 files changed, 6 insertions(+), 4 deletions(-) > > > > > > diff --git a/libsemanage/include/semanage/handle.h b/libsemanage/include/semanage/handle.h > > > index 0157be4f..4cf30815 100644 > > > --- a/libsemanage/include/semanage/handle.h > > > +++ b/libsemanage/include/semanage/handle.h > > > @@ -67,7 +67,7 @@ extern void semanage_set_reload(semanage_handle_t * handle, int do_reload); > > > extern void semanage_set_rebuild(semanage_handle_t * handle, int do_rebuild); > > > > > > /* set whether to rebuild the policy on commit when potential changes > > > - * to module files since last rebuild are detected, > > > + * to store files since last rebuild are detected, > > > * 1 for yes (default), 0 for no */ > > > extern void semanage_set_check_ext_changes(semanage_handle_t * handle, int do_check); > > > > > > diff --git a/libsemanage/src/direct_api.c b/libsemanage/src/direct_api.c > > > index 7206483a..7aa081ab 100644 > > > --- a/libsemanage/src/direct_api.c > > > +++ b/libsemanage/src/direct_api.c > > > @@ -1437,13 +1437,15 @@ static int semanage_direct_commit(semanage_handle_t * sh) > > > * Determine what else needs to be done. > > > * We need to write the kernel policy if we are rebuilding > > > * or if any other policy component that lives in the kernel > > > - * policy has been modified. > > > + * policy has been modified. We also want to force it when > > > + * check_ext_changes was specified as the various dbases may have > > > + * changes as well. > > > * We need to install the policy files if any of the managed files > > > * that live under /etc/selinux (kernel policy, seusers, file contexts) > > > * will be modified. > > > */ > > > - do_write_kernel = do_rebuild | ports_modified | ibpkeys_modified | > > > - ibendports_modified | > > > + do_write_kernel = do_rebuild | sh->check_ext_changes | > > > + ports_modified | ibpkeys_modified | ibendports_modified | > > > bools->dtable->is_modified(bools->dbase) | > > > ifaces->dtable->is_modified(ifaces->dbase) | > > > nodes->dtable->is_modified(nodes->dbase) | > > > -- > > > 2.36.1 > > > > >
diff --git a/libsemanage/include/semanage/handle.h b/libsemanage/include/semanage/handle.h index 0157be4f..4cf30815 100644 --- a/libsemanage/include/semanage/handle.h +++ b/libsemanage/include/semanage/handle.h @@ -67,7 +67,7 @@ extern void semanage_set_reload(semanage_handle_t * handle, int do_reload); extern void semanage_set_rebuild(semanage_handle_t * handle, int do_rebuild); /* set whether to rebuild the policy on commit when potential changes - * to module files since last rebuild are detected, + * to store files since last rebuild are detected, * 1 for yes (default), 0 for no */ extern void semanage_set_check_ext_changes(semanage_handle_t * handle, int do_check); diff --git a/libsemanage/src/direct_api.c b/libsemanage/src/direct_api.c index 7206483a..7aa081ab 100644 --- a/libsemanage/src/direct_api.c +++ b/libsemanage/src/direct_api.c @@ -1437,13 +1437,15 @@ static int semanage_direct_commit(semanage_handle_t * sh) * Determine what else needs to be done. * We need to write the kernel policy if we are rebuilding * or if any other policy component that lives in the kernel - * policy has been modified. + * policy has been modified. We also want to force it when + * check_ext_changes was specified as the various dbases may have + * changes as well. * We need to install the policy files if any of the managed files * that live under /etc/selinux (kernel policy, seusers, file contexts) * will be modified. */ - do_write_kernel = do_rebuild | ports_modified | ibpkeys_modified | - ibendports_modified | + do_write_kernel = do_rebuild | sh->check_ext_changes | + ports_modified | ibpkeys_modified | ibendports_modified | bools->dtable->is_modified(bools->dbase) | ifaces->dtable->is_modified(ifaces->dbase) | nodes->dtable->is_modified(nodes->dbase) |
For the use case of rebuilding the policy afte package updates, we need the check_ext_changes operation to always do at least the do_write_kernel step, because the various semanage dbs may have also changed content relative to the current binary policy. As this step is itself relatively fast, we can do it unconditionally. Fixes: 286a679fadc4 ("libsemanage: optionally rebuild policy when modules are changed externally") Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> --- libsemanage/include/semanage/handle.h | 2 +- libsemanage/src/direct_api.c | 8 +++++--- 2 files changed, 6 insertions(+), 4 deletions(-)