On Tue, 8 Oct 2019 10:31:37 -0400, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote:
> On 10/8/19 8:48 AM, Stephen Smalley wrote:
>> On 10/8/19 2:44 AM, Masatake YAMATO wrote:
>>> dispol command requires interaction, and is not suitable for using
>>> in a script. This patch set introduces -b that is for running
>>> dispol in non-interactively.
>>>
>>> An example:
>>>
>>> $ ./dispol -b 1 /sys/fs/selinux/policy
>>> allow deltacloudd_log_t tmp_t : filesystem { associate };
>>> allow kern_unconfined sysctl_type : lnk_file { ioctl read ...
>> What is your intended use case for this support, i.e. how do you
>> envision using dispol in scripts?
>> If you just want to decompile policy, I'd recommend using checkpolicy
>> -F/--conf or checkpolicy -c/--cil, ala:
>> checkpolicy -M -b /sys/fs/selinux/policy -F -o policy.conf
>> or
>> checkpolicy -M -b /sys/fs/selinux/policy -C -o policy.cil
>
> Or you could just use sesearch -A if you wanted to just dump all allow
> rules, for example, or seinfo -b for all booleans, ...
>
> dispol/dismod have always just been test/debug/developer utilities and
> predated the ability to decompile policies with checkpolicy, so I'm
> not sure if they are even still useful to keep around. Is anyone
> still using them?
Thank you for the comment.
I didn't know that checkpolicy can be used for decompiling policies. I
read checkpolicy.8, and I found what I want is the way to write
decompiled policies to standard output. So I can read the result with
less command, or filter with grep. I frequently do the similar with
objdump. I would like to withdraw the patches about dispol.
Instead, I proposed '-o -' for writing decompiled policies to standard
output in another mail-thread. Could you review the proposal?
Masatake YAMATO
>>
>>> ...
>>>
>>> Masatake YAMATO (5):
>>> dispol: extend usage() to take exit status
>>> dispol: add an option for printing the command usage
>>> dispol: introduce a local variable representing the input file
>>> dispol: introduce -b option to run commands in batch
>>> dispol: add the list of commands for batch mode to help message
>>>
>>> checkpolicy/test/dispol.c | 96
>>> ++++++++++++++++++++++++++++-----------
>>> 1 file changed, 69 insertions(+), 27 deletions(-)
>>>
>>
>
