From: pebenito@ieee.org (Chris PeBenito)
Date: Thu, 15 Dec 2016 19:31:33 -0500
Subject: [refpolicy] [PATCH v2] Do not keep disabled modules during new
 policy load
In-Reply-To: <1481835895.24835.3.camel@trentalancia.net>
References: <1481831671.24835.1.camel@trentalancia.net>
	<1481835895.24835.3.camel@trentalancia.net>
Message-ID: <efab45bb-9375-eb0d-32be-a2a1a9dd3912@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 12/15/16 16:04, Guido Trentalancia via refpolicy wrote:
> When loading a new modular policy, remove all policy modules that
> have been previously loaded but have now been explicitly disabled.
>
> If the batch removal process fails, for example because one or more
> enabled modules depend on one or more modules to be removed, remove
> each module separately (much slower but most effective).

The policy makefiles were never meant to do this.  The targets for 
loading modules are just for convenience, and not meant to add another 
layer of policy management to what we already have with semodule/semanage.


> Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
> ---
>  Rules.modular |    6 +++++-
>  1 file changed, 5 insertions(+), 1 deletion(-)
>
> diff -pru a/Rules.modular b/Rules.modular
> --- a/Rules.modular	2016-12-15 19:23:50.693731447 +0100
> +++ b/Rules.modular	2016-12-15 20:40:42.482313515 +0100
> @@ -21,6 +21,7 @@ base_post_te_files := $(user_files) $(po
>  base_fc_files := $(base_mods:.te=.fc)
>
>  mod_pkgs := $(addprefix $(builddir),$(notdir $(mod_mods:.te=.pp)))
> +off_mod_names := $(basename $(off_mods))
>
>  # policy packages to install
>  instpkg := $(addprefix $(modpkgdir)/,$(notdir $(base_pkg)) $(mod_pkgs))
> @@ -48,7 +49,9 @@ install: $(instpkg) $(appfiles)
>
>  ########################################
>  #
> -# Load all configured modules
> +# Load all configured modules and remove
> +# all modules that have been explicitly
> +# disabled
>  #
>  load: $(instpkg) $(appfiles)
>  # make sure two directories exist since they are not
> @@ -56,6 +59,7 @@ load: $(instpkg) $(appfiles)
>  	@echo "Loading configured modules."
>  	@$(INSTALL) -d -m 0755 $(policypath) $(dir $(fcpath))
>  	$(verbose) $(SEMODULE) -s $(NAME) -i $(modpkgdir)/$(notdir $(base_pkg)) $(foreach mod,$(mod_pkgs),-i $(modpkgdir)/$(mod))
> +	-$(verbose) $(SEMODULE) -s $(NAME) -r $(foreach offmod,$(off_mod_names),$(offmod)) || $(foreach offmod,$(off_mod_names),$(SEMODULE) -s $(NAME) -r $(offmod);)
>
>  ########################################
>  #
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>


-- 
Chris PeBenito