On Tue, 2010-01-26 at 17:08 -0500, Caleb Case wrote: > In order to ease the process of modifying an installed module, this > provides the -E,--edit option to semodule. It will retrieve the > specified module, open it in the default editor, and then reinstall the > module if editing completes successfully. > > * Editor to be executed is discovered from the EDITOR environment > variable. > > * Transaction locks are held for the duration of the editing. > > * If -E is specified multiple times, then the editor will be > called on each one, consecutively (editing stops on a particular > module when the editor exits). > > * If the editor exits with a non-zero status, then the transaction > will be aborted. > > * If the editor exits without making any changes to the file (as > determined from the time stamp), then the transaction will be not be > committed unless another action requires it to be. > > * The editor will be executed in the users SELinux context (as > determined by getprevcon) > > Example: > > # export EDITOR=vim > # semodule -E alsa > <edit alsa module> > <after quiting editor module is installed> > --- I'm concerned that this is over-engineering. Why not just provide -g (aka --checkout) and -i (aka --commit or --checkin), and let the editing happen entirely outside of the infrastructure. Do we really want to allow the caller to hold the transaction locks indefinitely? -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
