When using semodule for building a distribution policy package (as
Fedora does), the environment might not have selinuxfs available and
provide no way to modify semanage.conf. When we want to build a policy
with version X (because our kernel doesn't support X+1 and above yet),
but our libsepol already has support for X+1, then we currently have no
way to do so.
To resolve this, add a new command-line argument to semodule, which
allows to override the system-wide configured version to a different
one.
Signed-off-by: Ondrej Mosnacek <omosnace@xxxxxxxxxx>
---
policycoreutils/semodule/semodule.8 | 3 +++
policycoreutils/semodule/semodule.c | 12 +++++++++++-
2 files changed, 14 insertions(+), 1 deletion(-)
diff --git a/policycoreutils/semodule/semodule.8 b/policycoreutils/semodule/semodule.8
index 18d4f708..88e027fd 100644
--- a/policycoreutils/semodule/semodule.8
+++ b/policycoreutils/semodule/semodule.8
@@ -64,6 +64,9 @@ A module is extracted as HLL by default. The name of the module written is
<module-name>.<lang_ext>
.SH "OPTIONS"
.TP
+.B \-V,\-\-policyvers
+force specific kernel policy version
+.TP
.B \-s,\-\-store
name of the store to operate on
.TP
diff --git a/policycoreutils/semodule/semodule.c b/policycoreutils/semodule/semodule.c
index a1f75e16..30c4495b 100644
--- a/policycoreutils/semodule/semodule.c
+++ b/policycoreutils/semodule/semodule.c
@@ -50,6 +50,8 @@ static int build;
static int disable_dontaudit;
static int preserve_tunables;
static int ignore_module_cache;
+static unsigned policyvers;
+static int policyvers_set = 0;
static uint16_t priority;
static int priority_set = 0;
@@ -137,6 +139,7 @@ static void usage(char *progname)
printf(" -d,--disable=MODULE_NAME disable module\n");
printf(" -E,--extract=MODULE_NAME extract module\n");
printf("Options:\n");
+ printf(" -V,--policyvers force specific kernel policy version\n");
printf(" -s,--store name of the store to operate on\n");
printf(" -N,-n,--noreload do not reload policy after commit\n");
printf(" -h,--help print this message and quit\n");
@@ -210,7 +213,7 @@ static void parse_command_line(int argc, char **argv)
no_reload = 0;
priority = 400;
while ((i =
- getopt_long(argc, argv, "s:b:hi:l::vr:u:RnNBDCPX:e:d:p:S:E:cH", opts,
+ getopt_long(argc, argv, "V:s:b:hi:l::vr:u:RnNBDCPX:e:d:p:S:E:cH", opts,
NULL)) != -1) {
switch (i) {
case 'b':
@@ -248,6 +251,10 @@ static void parse_command_line(int argc, char **argv)
fprintf(stderr, "The --upgrade option is deprecated. Use --install instead.\n");
set_mode(INSTALL_M, optarg);
break;
+ case 'V':
+ policyvers = (unsigned)strtoul(optarg, NULL, 10);
+ policyvers_set = 1;
+ break;
case 's':
set_store(optarg);
break;
@@ -363,6 +370,9 @@ int main(int argc, char *argv[])
goto cleanup_nohandle;
}
+ if (policyvers_set)
+ semanage_set_policyvers(sh, policyvers);
+
if (store) {
/* Set the store we want to connect to, before connecting.
* this will always set a direct connection now, an additional
--
2.24.1
