On 10/8/19 8:48 AM, Stephen Smalley wrote:
On 10/8/19 2:44 AM, Masatake YAMATO wrote:
dispol command requires interaction, and is not suitable for using
in a script. This patch set introduces -b that is for running
dispol in non-interactively.
An example:
$ ./dispol -b 1 /sys/fs/selinux/policy
allow deltacloudd_log_t tmp_t : filesystem { associate };
allow kern_unconfined sysctl_type : lnk_file { ioctl read ...
What is your intended use case for this support, i.e. how do you
envision using dispol in scripts?
If you just want to decompile policy, I'd recommend using checkpolicy
-F/--conf or checkpolicy -c/--cil, ala:
checkpolicy -M -b /sys/fs/selinux/policy -F -o policy.conf
or
checkpolicy -M -b /sys/fs/selinux/policy -C -o policy.cil
Or you could just use sesearch -A if you wanted to just dump all allow
rules, for example, or seinfo -b for all booleans, ...
dispol/dismod have always just been test/debug/developer utilities and
predated the ability to decompile policies with checkpolicy, so I'm not
sure if they are even still useful to keep around. Is anyone still
using them?
...
Masatake YAMATO (5):
dispol: extend usage() to take exit status
dispol: add an option for printing the command usage
dispol: introduce a local variable representing the input file
dispol: introduce -b option to run commands in batch
dispol: add the list of commands for batch mode to help message
checkpolicy/test/dispol.c | 96 ++++++++++++++++++++++++++++-----------
1 file changed, 69 insertions(+), 27 deletions(-)
