On Thu, 13 Jan 2022 at 15:39, Ondrej Mosnacek <omosnace@xxxxxxxxxx> wrote:
>
> Add a new command-line option "--smart" (for the lack of a better
> name...) to control the newly introduced check_ext_changes libsemanage
> flag.
>
> For example, running `semodule -B --smart` will ensure that any
> externally added/removed modules (e.g. by an RPM transaction) are
> reflected in the compiled policy, while skipping the most expensive part
> of the rebuild if no module change was deteceted since the last
> libsemanage transaction.
>
> Signed-off-by: Ondrej Mosnacek <omosnace@xxxxxxxxxx>
> ---
> policycoreutils/semodule/semodule.c | 23 ++++++++++++++++++++---
> 1 file changed, 20 insertions(+), 3 deletions(-)
>
> diff --git a/policycoreutils/semodule/semodule.c b/policycoreutils/semodule/semodule.c
> index a5b71fc4..638edb39 100644
> --- a/policycoreutils/semodule/semodule.c
> +++ b/policycoreutils/semodule/semodule.c
> @@ -47,6 +47,7 @@ static int verbose;
> static int reload;
> static int no_reload;
> static int build;
> +static int check_ext_changes;
> static int disable_dontaudit;
> static int preserve_tunables;
> static int ignore_module_cache;
> @@ -149,6 +150,8 @@ static void usage(char *progname)
> printf(" -c, --cil extract module as cil. This only affects module extraction.\n");
> printf(" -H, --hll extract module as hll. This only affects module extraction.\n");
> printf(" -m, --checksum print module checksum (SHA256).\n");
> + printf(" --smart force policy rebuild if module content changed since\n"
> + " last rebuild (based on checksum)\n");
Some other naming suggestions:
incremental
on-update
on-change
changed-only
updated-only
Also maybe describe with `force policy rebuild only if ...`, cause
otherwise one might think without --smart modules are never rebuild.
> }
>
> /* Sets the global mode variable to new_mode, but only if no other
> @@ -180,6 +183,7 @@ static void set_mode(enum client_modes new_mode, char *arg)
> static void parse_command_line(int argc, char **argv)
> {
> static struct option opts[] = {
> + {"smart", 0, NULL, '\0'},
> {"store", required_argument, NULL, 's'},
> {"base", required_argument, NULL, 'b'},
> {"help", 0, NULL, 'h'},
> @@ -207,15 +211,26 @@ static void parse_command_line(int argc, char **argv)
> };
> int extract_selected = 0;
> int cil_hll_set = 0;
> - int i;
> + int i, longind;
> verbose = 0;
> reload = 0;
> no_reload = 0;
> + check_ext_changes = 0;
> priority = 400;
> while ((i =
> - getopt_long(argc, argv, "s:b:hi:l::vr:u:RnNBDCPX:e:d:p:S:E:cHm", opts,
> - NULL)) != -1) {
> + getopt_long(argc, argv, "s:b:hi:l::vr:u:RnNBDCPX:e:d:p:S:E:cHm",
> + opts, &longind)) != -1) {
> switch (i) {
> + case '\0':
> + switch(longind) {
> + case 0: /* --smart */
> + check_ext_changes = 1;
> + break;
> + default:
> + usage(argv[0]);
> + exit(1);
> + }
> + break;
> case 'b':
> fprintf(stderr, "The --base option is deprecated. Use --install instead.\n");
> set_mode(INSTALL_M, optarg);
> @@ -813,6 +828,8 @@ cleanup_disable:
> semanage_set_reload(sh, 0);
> if (build)
> semanage_set_rebuild(sh, 1);
> + if (check_ext_changes)
> + semanage_set_check_ext_changes(sh, 1);
> if (disable_dontaudit)
> semanage_set_disable_dontaudit(sh, 1);
> else if (build)
> --
> 2.34.1
>
