@@ -66,10 +66,6 @@ void semanage_set_reload(semanage_handle_t * handle, int do_reload);
* 1 for yes, 0 for no (default) */
void semanage_set_rebuild(semanage_handle_t * handle, int do_rebuild);
-/* set whether to optimize the policy (remove redundancies) when built.
- * 1 for yes, 0 for no (default) */
-void semanage_set_optimize(semanage_handle_t * handle, int do_optimize);
-
/* Fills *compiler_path with the location of the hll compiler sh->conf->compiler_directory_path
* corresponding to lang_ext.
* Upon success returns 0, -1 on error. */
@@ -59,7 +59,7 @@ static int parse_errors;
char *s;
}
-%token MODULE_STORE VERSION EXPAND_CHECK FILE_MODE SAVE_PREVIOUS SAVE_LINKED TARGET_PLATFORM COMPILER_DIR IGNORE_MODULE_CACHE STORE_ROOT
+%token MODULE_STORE VERSION EXPAND_CHECK FILE_MODE SAVE_PREVIOUS SAVE_LINKED TARGET_PLATFORM COMPILER_DIR IGNORE_MODULE_CACHE STORE_ROOT OPTIMIZE_POLICY
%token LOAD_POLICY_START SETFILES_START SEFCONTEXT_COMPILE_START DISABLE_GENHOMEDIRCON HANDLE_UNKNOWN USEPASSWD IGNOREDIRS
%token BZIP_BLOCKSIZE BZIP_SMALL REMOVE_HLL
%token VERIFY_MOD_START VERIFY_LINKED_START VERIFY_KERNEL_START BLOCK_END
@@ -95,6 +95,7 @@ single_opt: module_store
| bzip_blocksize
| bzip_small
| remove_hll
+ | optimize_policy
;
module_store: MODULE_STORE '=' ARG {
@@ -268,6 +269,17 @@ remove_hll: REMOVE_HLL'=' ARG {
free($3);
}
+optimize_policy: OPTIMIZE_POLICY '=' ARG {
+ if (strcasecmp($3, "false") == 0) {
+ current_conf->optimize_policy = 0;
+ } else if (strcasecmp($3, "true") == 0) {
+ current_conf->optimize_policy = 1;
+ } else {
+ yyerror("optimize-policy can only be 'true' or 'false'");
+ }
+ free($3);
+}
+
command_block:
command_start external_opts BLOCK_END {
if (new_external->path == NULL) {
@@ -352,6 +364,7 @@ static int semanage_conf_init(semanage_conf_t * conf)
conf->bzip_small = 0;
conf->ignore_module_cache = 0;
conf->remove_hll = 0;
+ conf->optimize_policy = 0;
conf->save_previous = 0;
conf->save_linked = 0;
@@ -54,6 +54,7 @@ handle-unknown return HANDLE_UNKNOWN;
bzip-blocksize return BZIP_BLOCKSIZE;
bzip-small return BZIP_SMALL;
remove-hll return REMOVE_HLL;
+optimize-policy return OPTIMIZE_POLICY;
"[load_policy]" return LOAD_POLICY_START;
"[setfiles]" return SETFILES_START;
"[sefcontext_compile]" return SEFCONTEXT_COMPILE_START;
@@ -1462,7 +1462,7 @@ rebuild:
cil_db_destroy(&cildb);
/* Remove redundancies in binary policy if requested. */
- if (sh->do_optimize) {
+ if (sh->conf->optimize_policy) {
retval = sepol_policydb_optimize(out);
if (retval < 0)
goto cleanup;
@@ -88,10 +88,6 @@ semanage_handle_t *semanage_handle_create(void)
* If any changes are made, this flag is ignored */
sh->do_rebuild = 0;
- /* By default do not optimize policy on rebuild.
- * If the policy is not being rebuilt, this flag is ignored. */
- sh->do_optimize = 0;
-
sh->commit_err = 0;
/* By default always reload policy after commit if SELinux is enabled. */
@@ -129,15 +125,6 @@ void semanage_set_rebuild(semanage_handle_t * sh, int do_rebuild)
return;
}
-void semanage_set_optimize(semanage_handle_t * sh, int do_optimize)
-{
-
- assert(sh != NULL);
-
- sh->do_optimize = do_optimize;
- return;
-}
-
void semanage_set_reload(semanage_handle_t * sh, int do_reload)
{
@@ -62,7 +62,6 @@ struct semanage_handle {
int is_in_transaction;
int do_reload; /* whether to reload policy after commit */
int do_rebuild; /* whether to rebuild policy if there were no changes */
- int do_optimize; /* whether to optimize the built policy */
int commit_err; /* set by semanage_direct_commit() if there are
* any errors when building or committing the
* sandbox to kernel policy at /etc/selinux
@@ -63,8 +63,3 @@ LIBSEMANAGE_1.1 {
semanage_module_remove_key;
semanage_set_store_root;
} LIBSEMANAGE_1.0;
-
-LIBSEMANAGE_1.2 {
- global:
- semanage_set_optimize;
-} LIBSEMANAGE_1.1;
@@ -47,6 +47,7 @@ typedef struct semanage_conf {
int bzip_small;
int remove_hll;
int ignore_module_cache;
+ int optimize_policy;
char *ignoredirs; /* ";" separated of list for genhomedircon to ignore */
struct external_prog *load_policy;
struct external_prog *setfiles;
@@ -46,7 +46,6 @@ static int verbose;
static int reload;
static int no_reload;
static int build;
-static int optimize;
static int disable_dontaudit;
static int preserve_tunables;
static int ignore_module_cache;
@@ -124,10 +123,9 @@ static void usage(char *progname)
printf("usage: %s [option]... MODE...\n", progname);
printf("Manage SELinux policy modules.\n");
printf("MODES:\n");
- printf(" -R,--reload reload policy\n");
- printf(" -B,--build build and reload policy\n");
+ printf(" -R, --reload reload policy\n");
+ printf(" -B, --build build and reload policy\n");
printf(" -D,--disable_dontaudit Remove dontaudits from policy\n");
- printf(" -O,--optimize optimize built policy\n");
printf(" -i,--install=MODULE_PKG install a new module\n");
printf(" -r,--remove=MODULE_NAME remove existing module at desired priority\n");
printf(" -l[KIND],--list-modules[=KIND] display list of installed modules\n");
@@ -193,7 +191,6 @@ static void parse_command_line(int argc, char **argv)
{"reload", 0, NULL, 'R'},
{"noreload", 0, NULL, 'n'},
{"build", 0, NULL, 'B'},
- {"optimize", 0, NULL, 'O'},
{"disable_dontaudit", 0, NULL, 'D'},
{"preserve_tunables", 0, NULL, 'P'},
{"ignore-module-cache", 0, NULL, 'C'},
@@ -210,10 +207,9 @@ static void parse_command_line(int argc, char **argv)
verbose = 0;
reload = 0;
no_reload = 0;
- optimize = 0;
priority = 400;
while ((i =
- getopt_long(argc, argv, "s:b:hi:l::vr:u:RnNBDOCPX:e:d:p:S:E:cH", opts,
+ getopt_long(argc, argv, "s:b:hi:l::vr:u:RnNBDCPX:e:d:p:S:E:cH", opts,
NULL)) != -1) {
switch (i) {
case 'b':
@@ -272,9 +268,6 @@ static void parse_command_line(int argc, char **argv)
case 'B':
build = 1;
break;
- case 'O':
- optimize = 1;
- break;
case 'D':
disable_dontaudit = 1;
break;
@@ -745,8 +738,6 @@ cleanup_disable:
semanage_set_reload(sh, 0);
if (build)
semanage_set_rebuild(sh, 1);
- if (optimize)
- semanage_set_optimize(sh, 1);
if (disable_dontaudit)
semanage_set_disable_dontaudit(sh, 1);
else if (build)