Cleaning up semanage
David Quigley
selinux at davequigley.com
Fri Dec 14 16:48:34 UTC 2012
On 12/14/2012 07:10, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 12/13/2012 06:30 PM, David Quigley wrote:
>> On 12/13/2012 14:13, David Quigley wrote:
>>> On 12/13/2012 10:41, Konstantin Ryabitsev wrote:
>>>> On Wed, Dec 12, 2012 at 10:03 PM, Dave Quigley
>>>> <selinux at davequigley.com> wrote:
>>>>> I'm actually going to try to pull together just the parsers
>>>>> without
>>>>> any backend functionality to see how feasible this is and how it
>>>>> looks. If we like how it looks and its possible we can move
>>>>> forward
>>>>> with it. I think that since --ftype is a longarg that argparse
>>>>> might
>>>>> be able to handle it. If not then some manipulation of things
>>>>> might
>>>>> be in order (like making an = between --ftype and the -d).
>>>>
>>>> Note that --ftype can be also written as -f. So, really, if you
>>>> want to
>>>> be fully backwards-compatible, you'll need to correctly parse the
>>>> following:
>>>>
>>>> semanage fcontext -d -f -d /some/dir
>>>>
>>>> -- Konstantin Ryabitsev LinuxFoundation.org Montréal, Québec
>>>
>>>
>>> Which brings up a good question. Is there a test suite we can use
>>> to
>>> ensure that the new interface matches the old interface? A
>>> regression
>>> suite for semanage would be very useful in this case. We could
>>> start with
>>> everything failing and rebuild the interface one at a time untill
>>> everything passes again. -- selinux mailing list
>>> selinux at lists.fedoraproject.org
>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>
>>
>> I Haven't typed in all of the help info yet but the link is to a
>> pastbin
>> with the usage information for the semanage login subcommand. I just
>> need
>> to get it to react that way when there are 0 arguments passed in as
>> well.
>> Right now it will print this when you type semanage login -h or
>> --help. I
>> want it to print this on semanage login with no arguments as well.
>>
>> http://pastebin.com/KTtNk0rC -- selinux mailing list
>> selinux at lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
> I love it. This has been on my long list of cleanups for a while,
> but we
> never seem to get to it. I looked at this a while ago, and at the
> time the
> hardest problem I saw was the fact that semanage without arguments
> was
> difficult to do.
>
> Output local customizations
> semanage [ -S store ] -o [ output_file | - ]
>
> Input local customizations
> semanage [ -S store ] -i [ input_file | - ]
>
> argparser does not allow "optional arguments" like this.
I agree that I'm not sure how possible it is to do that. It might be a
good idea to change from semanage -i inputfile or semanage -o outputfile
into semanage backup and semanage restore. Semantically those words make
sense as a subcommand and makes it clear as to what it is actually
doing. Its also easy to implement them.
>
> A cleanup of the man page would also be great. The new sepolicy tool
> suite is
> using argparse and separate man pages for each subcommand, and I
> really like it.
Yea I agree that a manpage for semanage-port semanage-fcontext etc is
the way to go.
>
> I think bash-completion eliminates the need for semanage-fcontext
> Since you
> can do.
>
> semanage <tab><tab>
> boolean fcontext login node port
> dontaudit interface module permissive user
>
I agree. It wasn't clear to me if doing this had any real benefit. If
we didn't have bash completion it might have but now that we do I don't
see a need for it.
Dave
More information about the selinux
mailing list