On Sun, Jan 16, 2022 at 11:07 AM Christian Göttsche
<cgzones@xxxxxxxxxxxxxx> wrote:
>
> On Thu, 13 Jan 2022 at 15:39, Ondrej Mosnacek <omosnace@xxxxxxxxxx> wrote:
> >
> > Add a new command-line option "--smart" (for the lack of a better
> > name...) to control the newly introduced check_ext_changes libsemanage
> > flag.
> >
> > For example, running `semodule -B --smart` will ensure that any
> > externally added/removed modules (e.g. by an RPM transaction) are
> > reflected in the compiled policy, while skipping the most expensive part
> > of the rebuild if no module change was deteceted since the last
> > libsemanage transaction.
> >
> > Signed-off-by: Ondrej Mosnacek <omosnace@xxxxxxxxxx>
> > ---
> > policycoreutils/semodule/semodule.c | 23 ++++++++++++++++++++---
> > 1 file changed, 20 insertions(+), 3 deletions(-)
> >
> > diff --git a/policycoreutils/semodule/semodule.c b/policycoreutils/semodule/semodule.c
> > index a5b71fc4..638edb39 100644
> > --- a/policycoreutils/semodule/semodule.c
> > +++ b/policycoreutils/semodule/semodule.c
> > @@ -47,6 +47,7 @@ static int verbose;
> > static int reload;
> > static int no_reload;
> > static int build;
> > +static int check_ext_changes;
> > static int disable_dontaudit;
> > static int preserve_tunables;
> > static int ignore_module_cache;
> > @@ -149,6 +150,8 @@ static void usage(char *progname)
> > printf(" -c, --cil extract module as cil. This only affects module extraction.\n");
> > printf(" -H, --hll extract module as hll. This only affects module extraction.\n");
> > printf(" -m, --checksum print module checksum (SHA256).\n");
> > + printf(" --smart force policy rebuild if module content changed since\n"
> > + " last rebuild (based on checksum)\n");
>
> Some other naming suggestions:
>
> incremental
> on-update
> on-change
> changed-only
> updated-only
>
> Also maybe describe with `force policy rebuild only if ...`, cause
> otherwise one might think without --smart modules are never rebuild.
>
I was going to suggest "--if-required" or "--if-needed". I think that
"incremental" or "on-change" would be ok as well.
Jim
> > }
> >
> > /* Sets the global mode variable to new_mode, but only if no other
> > @@ -180,6 +183,7 @@ static void set_mode(enum client_modes new_mode, char *arg)
> > static void parse_command_line(int argc, char **argv)
> > {
> > static struct option opts[] = {
> > + {"smart", 0, NULL, '\0'},
> > {"store", required_argument, NULL, 's'},
> > {"base", required_argument, NULL, 'b'},
> > {"help", 0, NULL, 'h'},
> > @@ -207,15 +211,26 @@ static void parse_command_line(int argc, char **argv)
> > };
> > int extract_selected = 0;
> > int cil_hll_set = 0;
> > - int i;
> > + int i, longind;
> > verbose = 0;
> > reload = 0;
> > no_reload = 0;
> > + check_ext_changes = 0;
> > priority = 400;
> > while ((i =
> > - getopt_long(argc, argv, "s:b:hi:l::vr:u:RnNBDCPX:e:d:p:S:E:cHm", opts,
> > - NULL)) != -1) {
> > + getopt_long(argc, argv, "s:b:hi:l::vr:u:RnNBDCPX:e:d:p:S:E:cHm",
> > + opts, &longind)) != -1) {
> > switch (i) {
> > + case '\0':
> > + switch(longind) {
> > + case 0: /* --smart */
> > + check_ext_changes = 1;
> > + break;
> > + default:
> > + usage(argv[0]);
> > + exit(1);
> > + }
> > + break;
> > case 'b':
> > fprintf(stderr, "The --base option is deprecated. Use --install instead.\n");
> > set_mode(INSTALL_M, optarg);
> > @@ -813,6 +828,8 @@ cleanup_disable:
> > semanage_set_reload(sh, 0);
> > if (build)
> > semanage_set_rebuild(sh, 1);
> > + if (check_ext_changes)
> > + semanage_set_check_ext_changes(sh, 1);
> > if (disable_dontaudit)
> > semanage_set_disable_dontaudit(sh, 1);
> > else if (build)
> > --
> > 2.34.1
> >
