On Wed, Jun 29, 2022 at 6:55 PM James Carter <jwcart2@xxxxxxxxx> wrote:
>
> On Tue, Jun 28, 2022 at 5:08 PM Nicolas Iooss <nicolas.iooss@xxxxxxx> wrote:
> >
> > On Wed, Jun 8, 2022 at 7:23 PM Ondrej Mosnacek <omosnace@xxxxxxxxxx> wrote:
> > >
> > > For the use case of rebuilding the policy afte package updates, we need
> > > the check_ext_changes operation to always do at least the do_write_kernel
> > > step, because the various semanage dbs may have also changed content
> > > relative to the current binary policy. As this step is itself relatively
> > > fast, we can do it unconditionally.
> > >
> > > Fixes: 286a679fadc4 ("libsemanage: optionally rebuild policy when modules are changed externally")
> > > Signed-off-by: Ondrej Mosnacek <omosnace@xxxxxxxxxx>
> >
> > Hello,
> > This patch and the next one ("semodule: rename
> > --rebuild-if-modules-changed to --refresh") look good to me. Has
> > anyone also taken a look at them?
> >
> > If nobody objects, I will merge it tomorrow, with a small misspelling
> > fix in the commit message (afte -> after).
> >
>
> These look good to me as well.
> Thanks,
> Jim
Thanks. I merged both patches.
Nicolas
> > Acked-by: Nicolas Iooss <nicolas.iooss@xxxxxxx>
> >
> > Thanks,
> > Nicolas
> >
> > > ---
> > > libsemanage/include/semanage/handle.h | 2 +-
> > > libsemanage/src/direct_api.c | 8 +++++---
> > > 2 files changed, 6 insertions(+), 4 deletions(-)
> > >
> > > diff --git a/libsemanage/include/semanage/handle.h b/libsemanage/include/semanage/handle.h
> > > index 0157be4f..4cf30815 100644
> > > --- a/libsemanage/include/semanage/handle.h
> > > +++ b/libsemanage/include/semanage/handle.h
> > > @@ -67,7 +67,7 @@ extern void semanage_set_reload(semanage_handle_t * handle, int do_reload);
> > > extern void semanage_set_rebuild(semanage_handle_t * handle, int do_rebuild);
> > >
> > > /* set whether to rebuild the policy on commit when potential changes
> > > - * to module files since last rebuild are detected,
> > > + * to store files since last rebuild are detected,
> > > * 1 for yes (default), 0 for no */
> > > extern void semanage_set_check_ext_changes(semanage_handle_t * handle, int do_check);
> > >
> > > diff --git a/libsemanage/src/direct_api.c b/libsemanage/src/direct_api.c
> > > index 7206483a..7aa081ab 100644
> > > --- a/libsemanage/src/direct_api.c
> > > +++ b/libsemanage/src/direct_api.c
> > > @@ -1437,13 +1437,15 @@ static int semanage_direct_commit(semanage_handle_t * sh)
> > > * Determine what else needs to be done.
> > > * We need to write the kernel policy if we are rebuilding
> > > * or if any other policy component that lives in the kernel
> > > - * policy has been modified.
> > > + * policy has been modified. We also want to force it when
> > > + * check_ext_changes was specified as the various dbases may have
> > > + * changes as well.
> > > * We need to install the policy files if any of the managed files
> > > * that live under /etc/selinux (kernel policy, seusers, file contexts)
> > > * will be modified.
> > > */
> > > - do_write_kernel = do_rebuild | ports_modified | ibpkeys_modified |
> > > - ibendports_modified |
> > > + do_write_kernel = do_rebuild | sh->check_ext_changes |
> > > + ports_modified | ibpkeys_modified | ibendports_modified |
> > > bools->dtable->is_modified(bools->dbase) |
> > > ifaces->dtable->is_modified(ifaces->dbase) |
> > > nodes->dtable->is_modified(nodes->dbase) |
> > > --
> > > 2.36.1
> > >
> >
