selinux January 2010 archive
Main Archive Page > Month Archives  > selinux archives
selinux: Re: [PATCH 12/15] [src-policy] semodule: edit module

Re: [PATCH 12/15] [src-policy] semodule: edit module

From: Stephen Smalley <sds_at_nospam>
Date: Wed Jan 27 2010 - 20:21:26 GMT
To: Caleb Case <>

On Tue, 2010-01-26 at 17:08 -0500, Caleb Case wrote:
> In order to ease the process of modifying an installed module, this
> provides the -E,--edit option to semodule. It will retrieve the
> specified module, open it in the default editor, and then reinstall the
> module if editing completes successfully.
> * Editor to be executed is discovered from the EDITOR environment
> variable.
> * Transaction locks are held for the duration of the editing.
> * If -E is specified multiple times, then the editor will be
> called on each one, consecutively (editing stops on a particular
> module when the editor exits).
> * If the editor exits with a non-zero status, then the transaction
> will be aborted.
> * If the editor exits without making any changes to the file (as
> determined from the time stamp), then the transaction will be not be
> committed unless another action requires it to be.
> * The editor will be executed in the users SELinux context (as
> determined by getprevcon)
> Example:
> # export EDITOR=vim
> # semodule -E alsa
> <edit alsa module>
> <after quiting editor module is installed>
> ---

I'm concerned that this is over-engineering. Why not just provide -g (aka --checkout) and -i (aka --commit or --checkin), and let the editing happen entirely outside of the infrastructure. Do we really want to allow the caller to hold the transaction locks indefinitely? -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to with the words "unsubscribe selinux" without quotes as the message.