From: pebenito@ieee.org (Chris PeBenito) Date: Thu, 15 Dec 2016 19:31:33 -0500 Subject: [refpolicy] [PATCH v2] Do not keep disabled modules during new policy load In-Reply-To: <1481835895.24835.3.camel@trentalancia.net> References: <1481831671.24835.1.camel@trentalancia.net> <1481835895.24835.3.camel@trentalancia.net> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 12/15/16 16:04, Guido Trentalancia via refpolicy wrote: > When loading a new modular policy, remove all policy modules that > have been previously loaded but have now been explicitly disabled. > > If the batch removal process fails, for example because one or more > enabled modules depend on one or more modules to be removed, remove > each module separately (much slower but most effective). The policy makefiles were never meant to do this. The targets for loading modules are just for convenience, and not meant to add another layer of policy management to what we already have with semodule/semanage. > Signed-off-by: Guido Trentalancia > --- > Rules.modular | 6 +++++- > 1 file changed, 5 insertions(+), 1 deletion(-) > > diff -pru a/Rules.modular b/Rules.modular > --- a/Rules.modular 2016-12-15 19:23:50.693731447 +0100 > +++ b/Rules.modular 2016-12-15 20:40:42.482313515 +0100 > @@ -21,6 +21,7 @@ base_post_te_files := $(user_files) $(po > base_fc_files := $(base_mods:.te=.fc) > > mod_pkgs := $(addprefix $(builddir),$(notdir $(mod_mods:.te=.pp))) > +off_mod_names := $(basename $(off_mods)) > > # policy packages to install > instpkg := $(addprefix $(modpkgdir)/,$(notdir $(base_pkg)) $(mod_pkgs)) > @@ -48,7 +49,9 @@ install: $(instpkg) $(appfiles) > > ######################################## > # > -# Load all configured modules > +# Load all configured modules and remove > +# all modules that have been explicitly > +# disabled > # > load: $(instpkg) $(appfiles) > # make sure two directories exist since they are not > @@ -56,6 +59,7 @@ load: $(instpkg) $(appfiles) > @echo "Loading configured modules." > @$(INSTALL) -d -m 0755 $(policypath) $(dir $(fcpath)) > $(verbose) $(SEMODULE) -s $(NAME) -i $(modpkgdir)/$(notdir $(base_pkg)) $(foreach mod,$(mod_pkgs),-i $(modpkgdir)/$(mod)) > + -$(verbose) $(SEMODULE) -s $(NAME) -r $(foreach offmod,$(off_mod_names),$(offmod)) || $(foreach offmod,$(off_mod_names),$(SEMODULE) -s $(NAME) -r $(offmod);) > > ######################################## > # > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy > -- Chris PeBenito