From: guido@trentalancia.net (Guido Trentalancia) Date: Thu, 15 Dec 2016 20:54:31 +0100 Subject: [refpolicy] [PATCH] Do not keep disabled modules during new policy load Message-ID: <1481831671.24835.1.camel@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com When loading a new modular policy, remove all policy modules that have been previously loaded but have now been explicitly disabled. If the batch removal process fails, for example because one or more enabled modules depend on one or more modules to be removed, remove each module separately (much slower but most effective). Signed-off-by: Guido Trentalancia --- Rules.modular | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff -pru a/Rules.modular b/Rules.modular --- a/Rules.modular 2016-12-15 19:23:50.693731447 +0100 +++ b/Rules.modular 2016-12-15 20:40:42.482313515 +0100 @@ -21,6 +21,7 @@ base_post_te_files := $(user_files) $(po base_fc_files := $(base_mods:.te=.fc) mod_pkgs := $(addprefix $(builddir),$(notdir $(mod_mods:.te=.pp))) +off_mod_names := $(basename $(off_mods)) # policy packages to install instpkg := $(addprefix $(modpkgdir)/,$(notdir $(base_pkg)) $(mod_pkgs)) @@ -48,7 +49,9 @@ install: $(instpkg) $(appfiles) ######################################## # -# Load all configured modules +# Load all configured modules and remove +# all modules that have been explicitly +# disabled # load: $(instpkg) $(appfiles) # make sure two directories exist since they are not @@ -56,6 +59,7 @@ load: $(instpkg) $(appfiles) @echo "Loading configured modules." @$(INSTALL) -d -m 0755 $(policypath) $(dir $(fcpath)) $(verbose) $(SEMODULE) -s $(NAME) -i $(modpkgdir)/$(notdir $(base_pkg)) $(foreach mod,$(mod_pkgs),-i $(modpkgdir)/$(mod)) + $(verbose) $(SEMODULE) -s $(NAME) -r $(foreach offmod,$(off_mod_names),$(offmod)) || $(foreach offmod,$(off_mod_names),$(SEMODULE) -s $(NAME) -r $(offmod);) ######################################## #