Hide Forgot
Description of problem: semodule -i doesn't support input from stdin Version-Release number of selected component (if applicable): policycoreutils-2.5-13.fc24.x86_64 How reproducible: Always. Steps to Reproduce: # echo '(allow psad_t psad_var_log_t(file (read rename unlink write)))' | semodule -i semodule: option requires an argument -- 'i' usage: semodule [options]... MODE [MODES]... [...] # echo '(allow psad_t psad_var_log_t(file (read rename unlink write)))' | semodule -i - libsemanage.map_file: Unable to open - (No such file or directory). libsemanage.semanage_direct_install_file: Unable to read file - (No such file or directory). semodule: Failed on -! Expected results: Successful policy import. Additional info: This would be useful in rpm scriptlets while avoiding temporary file creation. For now, I'm using this: TMPDIR=$(%{_bindir}/mktemp -d) cat >> $TMPDIR/psad-rpm.cil << __EOF__ (allow psad_t psad_var_log_t(file (read rename unlink write))) __EOF__ %{_sbindir}/semodule -i $TMPDIR/psad-rpm.cil rm $TMPDIR/psad-rpm.cil && rmdir $TMPDIR
'semodule -i' uses a filename as a module name and for detection if the module uses pp or cil language. In your case, 'semodule -i -' would create a module called '-' and wouldn't know what if it's cil or pp.
Well, how about adding command line options to set the module name and the "language" together with stdin input support?
Please send your ideas and rationale to upstream mailing list at selinux.gov When it's accepted we can backport it to Fedora.