@@ -46,6 +46,7 @@ static int verbose;
static int reload;
static int no_reload;
static int build;
+static int optimize;
static int disable_dontaudit;
static int preserve_tunables;
static int ignore_module_cache;
@@ -123,9 +124,10 @@ static void usage(char *progname)
printf("usage: %s [option]... MODE...\n", progname);
printf("Manage SELinux policy modules.\n");
printf("MODES:\n");
- printf(" -R, --reload reload policy\n");
- printf(" -B, --build build and reload policy\n");
+ printf(" -R,--reload reload policy\n");
+ printf(" -B,--build build and reload policy\n");
printf(" -D,--disable_dontaudit Remove dontaudits from policy\n");
+ printf(" -O,--optimize optimize built policy\n");
printf(" -i,--install=MODULE_PKG install a new module\n");
printf(" -r,--remove=MODULE_NAME remove existing module at desired priority\n");
printf(" -l[KIND],--list-modules[=KIND] display list of installed modules\n");
@@ -191,6 +193,7 @@ static void parse_command_line(int argc, char **argv)
{"reload", 0, NULL, 'R'},
{"noreload", 0, NULL, 'n'},
{"build", 0, NULL, 'B'},
+ {"optimize", 0, NULL, 'O'},
{"disable_dontaudit", 0, NULL, 'D'},
{"preserve_tunables", 0, NULL, 'P'},
{"ignore-module-cache", 0, NULL, 'C'},
@@ -207,9 +210,10 @@ static void parse_command_line(int argc, char **argv)
verbose = 0;
reload = 0;
no_reload = 0;
+ optimize = 0;
priority = 400;
while ((i =
- getopt_long(argc, argv, "s:b:hi:l::vr:u:RnNBDCPX:e:d:p:S:E:cH", opts,
+ getopt_long(argc, argv, "s:b:hi:l::vr:u:RnNBDOCPX:e:d:p:S:E:cH", opts,
NULL)) != -1) {
switch (i) {
case 'b':
@@ -268,6 +272,9 @@ static void parse_command_line(int argc, char **argv)
case 'B':
build = 1;
break;
+ case 'O':
+ optimize = 1;
+ break;
case 'D':
disable_dontaudit = 1;
break;
@@ -738,6 +745,8 @@ cleanup_disable:
semanage_set_reload(sh, 0);
if (build)
semanage_set_rebuild(sh, 1);
+ if (optimize)
+ semanage_set_optimize(sh, 1);
if (disable_dontaudit)
semanage_set_disable_dontaudit(sh, 1);
else if (build)
Add a command-line option -O/--optimize to enable policy optimization when building kernel policy. Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> --- policycoreutils/semodule/semodule.c | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-)