| 65c6325271b54d3de9c17352a57d469dfbd12729 |
|
06-Aug-2015 |
Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com> |
policycoreutils/semodule: update semodule to allow extracting modules
Add --extract/-E, --cil/-c, and --hll/-H to extract modules. If -c/-H
are not provided, the module will be output as HLL by default. Only
--cil or --hll (which will use the lang_ext in the semodule store) are valid
options to use with -E. The module is written to the current working directory
as <module_name>.<lang_ext>.
If a module exists as HLL and is exported as CIL, it will first compile into
CIL and cache to the module store. Once compiled, exporting will
continue.
If no priority is provided when extracting a module, then extraction at
the default priority, 400, will be attempted. If the module does not
exist at the default priority, then it will be exported at the highest
existing priority.
Examples:
Extract the wireshark module in a .cil format. If the module only exists
as HLL on the system, the module will be compiled into CIL and placed
into the module store. This command will then write wireshark.cil to the CWD.
semodule --cil --extract wireshark
Extract the wireshark module in HLL format. Since the original HLL file
was a policy package, a wireshark.pp will be written to the CWD.
semodule -E wireshark
Extract the wireshark module as CIL and HLL and extract the puppet
module as CIL at priority 400.
semodule --hll -E wireshark --cil -E wireshark -X 400 --cil -E puppet
Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
/external/selinux/policycoreutils/semodule/semodule.c
|
| 28efbfd4ed1b57932d8a485197ddd29879d82998 |
|
03-Apr-2014 |
Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com> |
policycoreutils: add semodule option to set store root path
Add a new -S option to semodule. This option overrides store_root
in semanage.conf and sets the SELinux store's root path. If neither -S,
nor store_root are specified in semanage.conf, then the default
location is used.
Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
/external/selinux/policycoreutils/semodule/semodule.c
|
| 241f9d2d03d0c0e218f1afd0a1ae11e2fa301b9f |
|
27-Feb-2014 |
Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com> |
policycoreutils: add semodule flag for ignoring cached CIL
Providing --ignore-module-cache will cause the recompilating of all HLL
modules, and recaching of the resulting CIL files.
Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
/external/selinux/policycoreutils/semodule/semodule.c
|
| e599a4318409b317b023bda2381034f80f4b6df5 |
|
16-May-2014 |
Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com> |
policycoreutils: deprecate base/upgrade/version in semodule
Providing --upgrade or --base will now just call --install, and display
a deprecation message to the user. Additionally, because CIL has no
concept of version numbers, this removes the version output from --list.
Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
/external/selinux/policycoreutils/semodule/semodule.c
|
| 6e085368f1707ba3d1222a4f0d94e6298b6dbfbc |
|
22-Nov-2011 |
Steve Lawrence <slawrence@tresys.com> |
policycoreutils: semodule: add back support for alternative root paths
Removed in commits:
- Revert "policycoreutils: semodule: support for alternative root paths"
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
/external/selinux/policycoreutils/semodule/semodule.c
|
| 031ee84821a22eebb6d8524e7dcd84b703ee41fc |
|
24-Dec-2009 |
Caleb Case <ccase@tresys.com> |
semodule: add priority, enabled, and extended listing
This updates the semodule tool with the ability to set the priority for
commands, to enable/disable modules, and extended module listing options
for displaying extra module information (e.g., priority, enabled status,
and language extension).
[semodule priority]
-X --priority set the priority for following operations
Notes:
* This sets the priority for the following operations.
* It can be used any number of times with its effect continuing until
the next priority is specified.
* The default priority is used if no priority has yet been specified.
Impact on current operations:
* Install module
* Without priority - Install at default priority.
* With priority - Install at specified priority.
* New warning when overriding (issued by libsemanage).
* Upgrade module
* Without priority - Upgrade at default priority (current upgrade
semantics apply).
* With priority - Upgrade at specified priority (current upgrade
semantics apply).
* New warning when overriding (issued by libsemanage).
* Remove module
* Without priority - Remove a module at the default if exists.
* With priority - Remove at that priority.
* New info messages (issued by libsemanage):
* If no modules exist at the given priority but do exist at other
priorities, give an info message listing the modules and priority.
* If a new module at a lower priority will become active print a
message.
* If the last module with this name is being removed print a
message.
* Base
* The name of base module on install is fixed to "_base" (performed by
libsemanage).
* Without priority - Install at default priority.
* With priority - Install at specified priority.
* New warning when overriding (issued by libsemanage).
* List modules
* See listing changes below.
Examples:
semodule -i foo.pp
semodule -X 500 -i foo.pp
[semodule enable/disable]
Add enable/disable status:
-e --enable enable the module (at all priorities)
-d --disable disable the module (at all priorities)
Notes:
* Base modules are always enabled and cannot have their enabled/disabled
status changed.
* New error when disabling a base module (from libsemanage).
* New warning when enabling a base module (from libsemanage).
Impact on current operations:
* Install module
* If a module with that name is already installed, then the enabled
status will remain the same after installing the new module.
* New warning when installing a module which will be disabled by
existing enabled status (from libsemanage).
* Upgrade module
* If a module with that name is already installed, then the enabled
status will remain the same after installing the new module.
* New warning when installing a module which will be disabled by
existing enabled status (from libsemanage).
* Remove module
* When the last module with a given name is removed (no more exist at
other priorities) then the enabled status is forgotten.
* Base
* Base modules are always installed enabled and remain so (can't be
disabled).
* List modules
* See listing changes below.
Examples:
semodule -e foo
semodule -d foo
[semodule list]
-l --list list modules as if by -lstandard
-lstandard --list=standard list name and version of highest priority,
enabled, non-base modules sorted alphabetical
by name
-lfull --list=full list all fields of all modules columnated
sorted high priority to low, within priority
alphabetical by name
Impact on current operations:
* List modules
* Default listing stays the same.
* New long options for 'standard' and 'full'.
Examples:
semodule -l
semodule -lstandard
semodule --list=standard
alsa 1.7.1
apm 1.9.1
apt 1.5.2
authlogin 2.0.0
avahi 1.10.3
bluetooth 3.1.3
...
semodule -lfull
semodule --list=full
600 alsa 1.7.1 disabled pp
400 _base 1.0.0 pp
400 alsa 1.7.1 disabled pp
400 apm 1.9.1 pp
400 apt 1.5.2 pp
400 authlogin 2.0.0 pp
...
100 alsa 1.7.1 disabled pp
Signed-off-by: Chad Sellers <csellers@tresys.com>
/external/selinux/policycoreutils/semodule/semodule.c
|
| 5ac1e98ab239baee0b3c46cbba318369ca2a4fdd |
|
27-Sep-2011 |
Steve Lawrence <slawrence@tresys.com> |
Revert "policycoreutils: semodule: support for alternative root paths"
This reverts commit 5e096d9ceb637a785d4537555799602a3de2b3dc.
Conflicts:
policycoreutils/semodule/semodule.c
/external/selinux/policycoreutils/semodule/semodule.c
|
| 30a2df81eb8a03f1414b30d7a9783d378d08c53d |
|
27-Sep-2011 |
Steve Lawrence <slawrence@tresys.com> |
Revert "Last attempt at upstreaming semodule_disable patch."
This reverts commit 654dcb897e49908a958dae55cf29793412c4b390.
Conflicts:
policycoreutils/semodule/semodule.c
/external/selinux/policycoreutils/semodule/semodule.c
|
| 91d0de4adf5d9bfd57bf4188dab523811dc88e48 |
|
09-Oct-2013 |
Dan Walsh <dwalsh@redhat.com> |
genhomedircon is no longer a script, but a link to semodule
/external/selinux/policycoreutils/semodule/semodule.c
|
| 7ae7858a6bfc1203d1c7db79e14c562ce560a919 |
|
08-May-2012 |
Dan Walsh <dwalsh@redhat.com> |
policycoreutils: semodule: Add -N qualifier to no reload kernel policy
This makes semodule consistent with other commands to no reload the
policy into the kernel after the given change.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
/external/selinux/policycoreutils/semodule/semodule.c
|
| 24b31a9da5a6f7f9d056ab13367ebdcb1fb3c585 |
|
04-Oct-2011 |
Dan Walsh <dwalsh@redhat.com> |
policycoreutils: semodule: Document semodule -p in man page
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
/external/selinux/policycoreutils/semodule/semodule.c
|
| e4bc1b223debcc6747fef4d7a2a0a320c0208a88 |
|
01-Sep-2011 |
Harry Ciao <qingtao.cao@windriver.com> |
libsepol: libsemanage: policycoreutils: Create a new preserve_tunables flag in sepol_handle_t.
By default only the effective branch of a tunable conditional would be
expanded and written to raw policy, while all needless unused branches
would be discarded.
Add a new option '-P' or "--preserve_tunables" to the semodule program.
By default it is 0, if set to 1 then the above preserve_tunables flag
in the sepol_handle_t would be set to 1 accordingly.
Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
/external/selinux/policycoreutils/semodule/semodule.c
|
| 5e096d9ceb637a785d4537555799602a3de2b3dc |
|
07-Jul-2011 |
Eric Paris <eparis@redhat.com> |
policycoreutils: semodule: support for alternative root paths
Add a -p option to semodule which will allow it to operate on the
specified semanaged root instead of the default.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
/external/selinux/policycoreutils/semodule/semodule.c
|
| 654dcb897e49908a958dae55cf29793412c4b390 |
|
24-Feb-2010 |
Daniel J Walsh <dwalsh@redhat.com> |
Last attempt at upstreaming semodule_disable patch.
This patch allows you to disable/Enable policy modules.
It never seems to get upstreamed. :^(
Signed-off-by: Joshua Brindle <method@manicmethod.com>
/external/selinux/policycoreutils/semodule/semodule.c
|
| c282c4024de7321a2987e55c51f6b65c75344c83 |
|
11-Sep-2009 |
Daniel J Walsh <dwalsh@redhat.com> |
I think I sent this patch before, it is the upgrade patch.
Basically it makes semodule -u file.pp, install file.pp if it does not exist. This matches the rpm syntax, and allows us too update/install many packages with a transaction without know whether the package is updated or installed.
Currently we can only do a -i which could hammer a newwer version.
commit 3a5ed0fdf42200d0efd6cb1064eab91d2eb5ca52
Author: Dan Walsh <dwalsh@redhat.com>
Date: Mon Aug 24 11:36:41 2009 -0400
i Upgrade patch
/external/selinux/policycoreutils/semodule/semodule.c
|
| 2c91f6377de4f96a3a9ca5c80c3b433b6d717d6a |
|
06-Jul-2009 |
Christopher Pardy <cpardy@redhat.com> |
semodule: maintain old functionality
Patch for semodule command
semodule -B
Will now turn on dontaudit rules
semodule -DB
Will turn off dontaudit rules.
With other patch all other semanage commands will maintain state.
Created by Dan Walsh
Signed-off-by: Christopher Pardy <cpardy@redhat.com>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/selinux/policycoreutils/semodule/semodule.c
|
| d8b1ea603b40c21b9ac3724d9d405fac8e45b112 |
|
16-Feb-2009 |
Joshua Brindle <method@manicmethod.com> |
Author: Daniel J Walsh
Email: dwalsh@redhat.com
Subject: Make removing of a module a warning rather then an error.
Date: Tue, 13 Jan 2009 08:57:17 -0500
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
This way if I say a command line
semodule -r mypol -i newmypol
and mypol was not there the semodule command does not error out.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAklsnb0ACgkQrlYvE4MpobNwFACfTqc17wREKC2aAhLOIkfbqgeg
GxgAn2/ZBz5ljtyK1aiVkqoCBj98y9Ey
=I4uX
-----END PGP SIGNATURE-----
Signed-off-by: Joshua Brindle <method@manicmethod.com>
/external/selinux/policycoreutils/semodule/semodule.c
|
| 8c51c70d59e8c8c5726d4b18e1f8fbec3c28c251 |
|
05-Jan-2009 |
Joshua Brindle <method@manicmethod.com> |
Author: Daniel J Walsh
Email: dwalsh@redhat.com
Subject: semodule patch to use new semanage interfaces
Date: Fri, 07 Nov 2008 09:41:24 -0500
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Allows semodule to read bzip compressed policy packages directly.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkkUU5QACgkQrlYvE4MpobMHGQCdGwEl3h1ZwV92u1mfgrr3z7XT
NGYAoIwz76N7QFdEr8I0t3ncGhbo6heq
=raBi
-----END PGP SIGNATURE-----
Signed-off-by: Joshua Brindle <method@manicmethod.com>
/external/selinux/policycoreutils/semodule/semodule.c
|
| 13cd4c8960688af11ad23b4c946149015c80d549 |
|
19-Aug-2008 |
Joshua Brindle <method@manicmethod.com> |
initial import from svn trunk revision 2950
/external/selinux/policycoreutils/semodule/semodule.c
|