* speeding up nodups_specs, need large fc file.
@ 2016-10-13 19:28 Roberts, William C
2016-10-13 20:37 ` Stephen Smalley
0 siblings, 1 reply; 11+ messages in thread
From: Roberts, William C @ 2016-10-13 19:28 UTC (permalink / raw)
To: 'selinux@tycho.nsa.gov'
[-- Attachment #1: Type: text/plain, Size: 405 bytes --]
I was looking back at my speedup patch for nodups specs...
http://marc.info/?l=selinux&m=147249024230263&w=2
I was testing before with a large, generated file_context file. I was wondering what would be a good source for
A desktop version of a file_contexts (textual preference as I can run sefcontext_compile on it) file as well as a binary
policy file....
Should I just use refpolicy?
Bill
[-- Attachment #2: Type: text/html, Size: 2485 bytes --]
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: speeding up nodups_specs, need large fc file.
2016-10-13 19:28 speeding up nodups_specs, need large fc file Roberts, William C
@ 2016-10-13 20:37 ` Stephen Smalley
2016-10-14 13:02 ` William Roberts
0 siblings, 1 reply; 11+ messages in thread
From: Stephen Smalley @ 2016-10-13 20:37 UTC (permalink / raw)
To: Roberts, William C, 'selinux@tycho.nsa.gov'
On 10/13/2016 03:28 PM, Roberts, William C wrote:
> I was looking back at my speedup patch for nodups specs…
>
> http://marc.info/?l=selinux&m=147249024230263&w=2
>
>
>
> I was testing before with a large, generated file_context file. I was
> wondering what would be a good source for
>
> A desktop version of a file_contexts (textual preference as I can run
> sefcontext_compile on it) file as well as a binary
>
> policy file….
>
>
>
> Should I just use refpolicy?
That's probably fine, unless you happen to have Fedora installed and can
just use its file_contexts file.
$ cd refpolicy
$ make MONOLITHIC=y conf
$ make MONOLITHIC=y file_contexts
$ wc -l file_contexts
4908 file_contexts
$ wc -l /etc/selinux/targeted/contexts/files/file_contexts
6075 /etc/selinux/targeted/contexts/files/file_contexts
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: speeding up nodups_specs, need large fc file.
2016-10-13 20:37 ` Stephen Smalley
@ 2016-10-14 13:02 ` William Roberts
2016-10-14 13:06 ` Stephen Smalley
0 siblings, 1 reply; 11+ messages in thread
From: William Roberts @ 2016-10-14 13:02 UTC (permalink / raw)
To: Stephen Smalley; +Cc: Roberts, William C, selinux
Looks like make MONOLITHIC=y policy to get the binary policy file....
Is it normal for checkpolicy to take 5 minutes?
>From TOP:
31178 wcrobert 20 0 812552 751940 1628 R 100.0 4.6 4:47.36
checkpolicy
On Thu, Oct 13, 2016 at 4:37 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
> On 10/13/2016 03:28 PM, Roberts, William C wrote:
>> I was looking back at my speedup patch for nodups specs…
>>
>> http://marc.info/?l=selinux&m=147249024230263&w=2
>>
>>
>>
>> I was testing before with a large, generated file_context file. I was
>> wondering what would be a good source for
>>
>> A desktop version of a file_contexts (textual preference as I can run
>> sefcontext_compile on it) file as well as a binary
>>
>> policy file….
>>
>>
>>
>> Should I just use refpolicy?
>
> That's probably fine, unless you happen to have Fedora installed and can
> just use its file_contexts file.
>
> $ cd refpolicy
> $ make MONOLITHIC=y conf
> $ make MONOLITHIC=y file_contexts
> $ wc -l file_contexts
> 4908 file_contexts
> $ wc -l /etc/selinux/targeted/contexts/files/file_contexts
> 6075 /etc/selinux/targeted/contexts/files/file_contexts
>
>
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.
--
Respectfully,
William C Roberts
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: speeding up nodups_specs, need large fc file.
2016-10-14 13:02 ` William Roberts
@ 2016-10-14 13:06 ` Stephen Smalley
2016-10-14 13:07 ` William Roberts
0 siblings, 1 reply; 11+ messages in thread
From: Stephen Smalley @ 2016-10-14 13:06 UTC (permalink / raw)
To: William Roberts; +Cc: Roberts, William C, selinux
On 10/14/2016 09:02 AM, William Roberts wrote:
> Looks like make MONOLITHIC=y policy to get the binary policy file....
>
> Is it normal for checkpolicy to take 5 minutes?
No, at least not with a modern checkpolicy. Are you using a current
version?
$ time make MONOLITHIC=y policy
Compiling refpolicy policy.30
/usr/bin/checkpolicy -U deny policy.conf -o policy.30
/usr/bin/checkpolicy: loading policy configuration from policy.conf
/usr/bin/checkpolicy: policy configuration loaded
/usr/bin/checkpolicy: writing binary representation (version 30) to
policy.30
real 0m3.341s
user 0m3.280s
sys 0m0.061s
>
>>From TOP:
> 31178 wcrobert 20 0 812552 751940 1628 R 100.0 4.6 4:47.36
> checkpolicy
>
> On Thu, Oct 13, 2016 at 4:37 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
>> On 10/13/2016 03:28 PM, Roberts, William C wrote:
>>> I was looking back at my speedup patch for nodups specs…
>>>
>>> http://marc.info/?l=selinux&m=147249024230263&w=2
>>>
>>>
>>>
>>> I was testing before with a large, generated file_context file. I was
>>> wondering what would be a good source for
>>>
>>> A desktop version of a file_contexts (textual preference as I can run
>>> sefcontext_compile on it) file as well as a binary
>>>
>>> policy file….
>>>
>>>
>>>
>>> Should I just use refpolicy?
>>
>> That's probably fine, unless you happen to have Fedora installed and can
>> just use its file_contexts file.
>>
>> $ cd refpolicy
>> $ make MONOLITHIC=y conf
>> $ make MONOLITHIC=y file_contexts
>> $ wc -l file_contexts
>> 4908 file_contexts
>> $ wc -l /etc/selinux/targeted/contexts/files/file_contexts
>> 6075 /etc/selinux/targeted/contexts/files/file_contexts
>>
>>
>> _______________________________________________
>> Selinux mailing list
>> Selinux@tycho.nsa.gov
>> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
>> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.
>
>
>
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: speeding up nodups_specs, need large fc file.
2016-10-14 13:06 ` Stephen Smalley
@ 2016-10-14 13:07 ` William Roberts
2016-10-14 13:08 ` William Roberts
2016-10-14 13:10 ` Stephen Smalley
0 siblings, 2 replies; 11+ messages in thread
From: William Roberts @ 2016-10-14 13:07 UTC (permalink / raw)
To: Stephen Smalley; +Cc: Roberts, William C, selinux
Likely not, I see it compiling version 29 and I am on ubuntu which is
way out of date with this stuff... should I just use the checkpolicy
from my AOSP tree?
Or should I just install with some particular set of options from
selinux master repo?
On Fri, Oct 14, 2016 at 9:06 AM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
> On 10/14/2016 09:02 AM, William Roberts wrote:
>> Looks like make MONOLITHIC=y policy to get the binary policy file....
>>
>> Is it normal for checkpolicy to take 5 minutes?
>
> No, at least not with a modern checkpolicy. Are you using a current
> version?
>
> $ time make MONOLITHIC=y policy
> Compiling refpolicy policy.30
> /usr/bin/checkpolicy -U deny policy.conf -o policy.30
> /usr/bin/checkpolicy: loading policy configuration from policy.conf
> /usr/bin/checkpolicy: policy configuration loaded
> /usr/bin/checkpolicy: writing binary representation (version 30) to
> policy.30
>
> real 0m3.341s
> user 0m3.280s
> sys 0m0.061s
>
>>
>>>From TOP:
>> 31178 wcrobert 20 0 812552 751940 1628 R 100.0 4.6 4:47.36
>> checkpolicy
>>
>> On Thu, Oct 13, 2016 at 4:37 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
>>> On 10/13/2016 03:28 PM, Roberts, William C wrote:
>>>> I was looking back at my speedup patch for nodups specs…
>>>>
>>>> http://marc.info/?l=selinux&m=147249024230263&w=2
>>>>
>>>>
>>>>
>>>> I was testing before with a large, generated file_context file. I was
>>>> wondering what would be a good source for
>>>>
>>>> A desktop version of a file_contexts (textual preference as I can run
>>>> sefcontext_compile on it) file as well as a binary
>>>>
>>>> policy file….
>>>>
>>>>
>>>>
>>>> Should I just use refpolicy?
>>>
>>> That's probably fine, unless you happen to have Fedora installed and can
>>> just use its file_contexts file.
>>>
>>> $ cd refpolicy
>>> $ make MONOLITHIC=y conf
>>> $ make MONOLITHIC=y file_contexts
>>> $ wc -l file_contexts
>>> 4908 file_contexts
>>> $ wc -l /etc/selinux/targeted/contexts/files/file_contexts
>>> 6075 /etc/selinux/targeted/contexts/files/file_contexts
>>>
>>>
>>> _______________________________________________
>>> Selinux mailing list
>>> Selinux@tycho.nsa.gov
>>> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
>>> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.
>>
>>
>>
>
--
Respectfully,
William C Roberts
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: speeding up nodups_specs, need large fc file.
2016-10-14 13:07 ` William Roberts
@ 2016-10-14 13:08 ` William Roberts
2016-10-14 14:15 ` William Roberts
2016-10-14 13:10 ` Stephen Smalley
1 sibling, 1 reply; 11+ messages in thread
From: William Roberts @ 2016-10-14 13:08 UTC (permalink / raw)
To: Stephen Smalley; +Cc: Roberts, William C, selinux
Yeah I just exported CHECKPOLICY to be the one from the AOSP tree and
it only took 4 seconds.
On Fri, Oct 14, 2016 at 9:07 AM, William Roberts
<bill.c.roberts@gmail.com> wrote:
> Likely not, I see it compiling version 29 and I am on ubuntu which is
> way out of date with this stuff... should I just use the checkpolicy
> from my AOSP tree?
>
> Or should I just install with some particular set of options from
> selinux master repo?
>
> On Fri, Oct 14, 2016 at 9:06 AM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
>> On 10/14/2016 09:02 AM, William Roberts wrote:
>>> Looks like make MONOLITHIC=y policy to get the binary policy file....
>>>
>>> Is it normal for checkpolicy to take 5 minutes?
>>
>> No, at least not with a modern checkpolicy. Are you using a current
>> version?
>>
>> $ time make MONOLITHIC=y policy
>> Compiling refpolicy policy.30
>> /usr/bin/checkpolicy -U deny policy.conf -o policy.30
>> /usr/bin/checkpolicy: loading policy configuration from policy.conf
>> /usr/bin/checkpolicy: policy configuration loaded
>> /usr/bin/checkpolicy: writing binary representation (version 30) to
>> policy.30
>>
>> real 0m3.341s
>> user 0m3.280s
>> sys 0m0.061s
>>
>>>
>>>>From TOP:
>>> 31178 wcrobert 20 0 812552 751940 1628 R 100.0 4.6 4:47.36
>>> checkpolicy
>>>
>>> On Thu, Oct 13, 2016 at 4:37 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
>>>> On 10/13/2016 03:28 PM, Roberts, William C wrote:
>>>>> I was looking back at my speedup patch for nodups specs…
>>>>>
>>>>> http://marc.info/?l=selinux&m=147249024230263&w=2
>>>>>
>>>>>
>>>>>
>>>>> I was testing before with a large, generated file_context file. I was
>>>>> wondering what would be a good source for
>>>>>
>>>>> A desktop version of a file_contexts (textual preference as I can run
>>>>> sefcontext_compile on it) file as well as a binary
>>>>>
>>>>> policy file….
>>>>>
>>>>>
>>>>>
>>>>> Should I just use refpolicy?
>>>>
>>>> That's probably fine, unless you happen to have Fedora installed and can
>>>> just use its file_contexts file.
>>>>
>>>> $ cd refpolicy
>>>> $ make MONOLITHIC=y conf
>>>> $ make MONOLITHIC=y file_contexts
>>>> $ wc -l file_contexts
>>>> 4908 file_contexts
>>>> $ wc -l /etc/selinux/targeted/contexts/files/file_contexts
>>>> 6075 /etc/selinux/targeted/contexts/files/file_contexts
>>>>
>>>>
>>>> _______________________________________________
>>>> Selinux mailing list
>>>> Selinux@tycho.nsa.gov
>>>> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
>>>> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.
>>>
>>>
>>>
>>
>
>
>
> --
> Respectfully,
>
> William C Roberts
--
Respectfully,
William C Roberts
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: speeding up nodups_specs, need large fc file.
2016-10-14 13:07 ` William Roberts
2016-10-14 13:08 ` William Roberts
@ 2016-10-14 13:10 ` Stephen Smalley
1 sibling, 0 replies; 11+ messages in thread
From: Stephen Smalley @ 2016-10-14 13:10 UTC (permalink / raw)
To: William Roberts; +Cc: Roberts, William C, selinux
On 10/14/2016 09:07 AM, William Roberts wrote:
> Likely not, I see it compiling version 29 and I am on ubuntu which is
> way out of date with this stuff... should I just use the checkpolicy
> from my AOSP tree?
>
> Or should I just install with some particular set of options from
> selinux master repo?
AOSP version should be fine.
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: speeding up nodups_specs, need large fc file.
2016-10-14 13:08 ` William Roberts
@ 2016-10-14 14:15 ` William Roberts
2016-10-14 14:32 ` Stephen Smalley
0 siblings, 1 reply; 11+ messages in thread
From: William Roberts @ 2016-10-14 14:15 UTC (permalink / raw)
To: Stephen Smalley; +Cc: Roberts, William C, selinux
Is it to be expected that checkfc would actually fail on refpolicy?
$ ./checkfc ../refpolicy/policy.30 ../refpolicy/file_contexts
Error: "fs_type" is not defined in this policy.
I could comment out the validation callback... but just wondering if
this is expected.
On Fri, Oct 14, 2016 at 9:08 AM, William Roberts
<bill.c.roberts@gmail.com> wrote:
> Yeah I just exported CHECKPOLICY to be the one from the AOSP tree and
> it only took 4 seconds.
>
> On Fri, Oct 14, 2016 at 9:07 AM, William Roberts
> <bill.c.roberts@gmail.com> wrote:
>> Likely not, I see it compiling version 29 and I am on ubuntu which is
>> way out of date with this stuff... should I just use the checkpolicy
>> from my AOSP tree?
>>
>> Or should I just install with some particular set of options from
>> selinux master repo?
>>
>> On Fri, Oct 14, 2016 at 9:06 AM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
>>> On 10/14/2016 09:02 AM, William Roberts wrote:
>>>> Looks like make MONOLITHIC=y policy to get the binary policy file....
>>>>
>>>> Is it normal for checkpolicy to take 5 minutes?
>>>
>>> No, at least not with a modern checkpolicy. Are you using a current
>>> version?
>>>
>>> $ time make MONOLITHIC=y policy
>>> Compiling refpolicy policy.30
>>> /usr/bin/checkpolicy -U deny policy.conf -o policy.30
>>> /usr/bin/checkpolicy: loading policy configuration from policy.conf
>>> /usr/bin/checkpolicy: policy configuration loaded
>>> /usr/bin/checkpolicy: writing binary representation (version 30) to
>>> policy.30
>>>
>>> real 0m3.341s
>>> user 0m3.280s
>>> sys 0m0.061s
>>>
>>>>
>>>>>From TOP:
>>>> 31178 wcrobert 20 0 812552 751940 1628 R 100.0 4.6 4:47.36
>>>> checkpolicy
>>>>
>>>> On Thu, Oct 13, 2016 at 4:37 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
>>>>> On 10/13/2016 03:28 PM, Roberts, William C wrote:
>>>>>> I was looking back at my speedup patch for nodups specs…
>>>>>>
>>>>>> http://marc.info/?l=selinux&m=147249024230263&w=2
>>>>>>
>>>>>>
>>>>>>
>>>>>> I was testing before with a large, generated file_context file. I was
>>>>>> wondering what would be a good source for
>>>>>>
>>>>>> A desktop version of a file_contexts (textual preference as I can run
>>>>>> sefcontext_compile on it) file as well as a binary
>>>>>>
>>>>>> policy file….
>>>>>>
>>>>>>
>>>>>>
>>>>>> Should I just use refpolicy?
>>>>>
>>>>> That's probably fine, unless you happen to have Fedora installed and can
>>>>> just use its file_contexts file.
>>>>>
>>>>> $ cd refpolicy
>>>>> $ make MONOLITHIC=y conf
>>>>> $ make MONOLITHIC=y file_contexts
>>>>> $ wc -l file_contexts
>>>>> 4908 file_contexts
>>>>> $ wc -l /etc/selinux/targeted/contexts/files/file_contexts
>>>>> 6075 /etc/selinux/targeted/contexts/files/file_contexts
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Selinux mailing list
>>>>> Selinux@tycho.nsa.gov
>>>>> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
>>>>> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.
>>>>
>>>>
>>>>
>>>
>>
>>
>>
>> --
>> Respectfully,
>>
>> William C Roberts
>
>
>
> --
> Respectfully,
>
> William C Roberts
--
Respectfully,
William C Roberts
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: speeding up nodups_specs, need large fc file.
2016-10-14 14:15 ` William Roberts
@ 2016-10-14 14:32 ` Stephen Smalley
2016-10-14 14:32 ` William Roberts
2016-10-14 14:36 ` Stephen Smalley
0 siblings, 2 replies; 11+ messages in thread
From: Stephen Smalley @ 2016-10-14 14:32 UTC (permalink / raw)
To: William Roberts; +Cc: selinux
On 10/14/2016 10:15 AM, William Roberts wrote:
> Is it to be expected that checkfc would actually fail on refpolicy?
>
> $ ./checkfc ../refpolicy/policy.30 ../refpolicy/file_contexts
> Error: "fs_type" is not defined in this policy.
>
> I could comment out the validation callback... but just wondering if
> this is expected.
Yes, you hardcoded Android-specific type attributes in checkfc,
remember? That's fine since it is an Android-only tool. In Linux, we
just runs setfiles -c /path/to/policy /path/to/file_contexts to do the
same thing, or these days sefcontext_compile -p /path/to/policy
/path/to/file_contexts will validate it.
>
>
> On Fri, Oct 14, 2016 at 9:08 AM, William Roberts
> <bill.c.roberts@gmail.com> wrote:
>> Yeah I just exported CHECKPOLICY to be the one from the AOSP tree and
>> it only took 4 seconds.
>>
>> On Fri, Oct 14, 2016 at 9:07 AM, William Roberts
>> <bill.c.roberts@gmail.com> wrote:
>>> Likely not, I see it compiling version 29 and I am on ubuntu which is
>>> way out of date with this stuff... should I just use the checkpolicy
>>> from my AOSP tree?
>>>
>>> Or should I just install with some particular set of options from
>>> selinux master repo?
>>>
>>> On Fri, Oct 14, 2016 at 9:06 AM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
>>>> On 10/14/2016 09:02 AM, William Roberts wrote:
>>>>> Looks like make MONOLITHIC=y policy to get the binary policy file....
>>>>>
>>>>> Is it normal for checkpolicy to take 5 minutes?
>>>>
>>>> No, at least not with a modern checkpolicy. Are you using a current
>>>> version?
>>>>
>>>> $ time make MONOLITHIC=y policy
>>>> Compiling refpolicy policy.30
>>>> /usr/bin/checkpolicy -U deny policy.conf -o policy.30
>>>> /usr/bin/checkpolicy: loading policy configuration from policy.conf
>>>> /usr/bin/checkpolicy: policy configuration loaded
>>>> /usr/bin/checkpolicy: writing binary representation (version 30) to
>>>> policy.30
>>>>
>>>> real 0m3.341s
>>>> user 0m3.280s
>>>> sys 0m0.061s
>>>>
>>>>>
>>>>> >From TOP:
>>>>> 31178 wcrobert 20 0 812552 751940 1628 R 100.0 4.6 4:47.36
>>>>> checkpolicy
>>>>>
>>>>> On Thu, Oct 13, 2016 at 4:37 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
>>>>>> On 10/13/2016 03:28 PM, Roberts, William C wrote:
>>>>>>> I was looking back at my speedup patch for nodups specs…
>>>>>>>
>>>>>>> http://marc.info/?l=selinux&m=147249024230263&w=2
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> I was testing before with a large, generated file_context file. I was
>>>>>>> wondering what would be a good source for
>>>>>>>
>>>>>>> A desktop version of a file_contexts (textual preference as I can run
>>>>>>> sefcontext_compile on it) file as well as a binary
>>>>>>>
>>>>>>> policy file….
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Should I just use refpolicy?
>>>>>>
>>>>>> That's probably fine, unless you happen to have Fedora installed and can
>>>>>> just use its file_contexts file.
>>>>>>
>>>>>> $ cd refpolicy
>>>>>> $ make MONOLITHIC=y conf
>>>>>> $ make MONOLITHIC=y file_contexts
>>>>>> $ wc -l file_contexts
>>>>>> 4908 file_contexts
>>>>>> $ wc -l /etc/selinux/targeted/contexts/files/file_contexts
>>>>>> 6075 /etc/selinux/targeted/contexts/files/file_contexts
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> Selinux mailing list
>>>>>> Selinux@tycho.nsa.gov
>>>>>> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
>>>>>> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.
>>>>>
>>>>>
>>>>>
>>>>
>>>
>>>
>>>
>>> --
>>> Respectfully,
>>>
>>> William C Roberts
>>
>>
>>
>> --
>> Respectfully,
>>
>> William C Roberts
>
>
>
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: speeding up nodups_specs, need large fc file.
2016-10-14 14:32 ` Stephen Smalley
@ 2016-10-14 14:32 ` William Roberts
2016-10-14 14:36 ` Stephen Smalley
1 sibling, 0 replies; 11+ messages in thread
From: William Roberts @ 2016-10-14 14:32 UTC (permalink / raw)
To: Stephen Smalley; +Cc: selinux
On Fri, Oct 14, 2016 at 10:32 AM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
> On 10/14/2016 10:15 AM, William Roberts wrote:
>> Is it to be expected that checkfc would actually fail on refpolicy?
>>
>> $ ./checkfc ../refpolicy/policy.30 ../refpolicy/file_contexts
>> Error: "fs_type" is not defined in this policy.
>>
>> I could comment out the validation callback... but just wondering if
>> this is expected.
>
> Yes, you hardcoded Android-specific type attributes in checkfc,
> remember?
Now I do, I totally forgot about that.
That's fine since it is an Android-only tool. In Linux, we
> just runs setfiles -c /path/to/policy /path/to/file_contexts to do the
> same thing, or these days sefcontext_compile -p /path/to/policy
> /path/to/file_contexts will validate it.
>
>>
>>
>> On Fri, Oct 14, 2016 at 9:08 AM, William Roberts
>> <bill.c.roberts@gmail.com> wrote:
>>> Yeah I just exported CHECKPOLICY to be the one from the AOSP tree and
>>> it only took 4 seconds.
>>>
>>> On Fri, Oct 14, 2016 at 9:07 AM, William Roberts
>>> <bill.c.roberts@gmail.com> wrote:
>>>> Likely not, I see it compiling version 29 and I am on ubuntu which is
>>>> way out of date with this stuff... should I just use the checkpolicy
>>>> from my AOSP tree?
>>>>
>>>> Or should I just install with some particular set of options from
>>>> selinux master repo?
>>>>
>>>> On Fri, Oct 14, 2016 at 9:06 AM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
>>>>> On 10/14/2016 09:02 AM, William Roberts wrote:
>>>>>> Looks like make MONOLITHIC=y policy to get the binary policy file....
>>>>>>
>>>>>> Is it normal for checkpolicy to take 5 minutes?
>>>>>
>>>>> No, at least not with a modern checkpolicy. Are you using a current
>>>>> version?
>>>>>
>>>>> $ time make MONOLITHIC=y policy
>>>>> Compiling refpolicy policy.30
>>>>> /usr/bin/checkpolicy -U deny policy.conf -o policy.30
>>>>> /usr/bin/checkpolicy: loading policy configuration from policy.conf
>>>>> /usr/bin/checkpolicy: policy configuration loaded
>>>>> /usr/bin/checkpolicy: writing binary representation (version 30) to
>>>>> policy.30
>>>>>
>>>>> real 0m3.341s
>>>>> user 0m3.280s
>>>>> sys 0m0.061s
>>>>>
>>>>>>
>>>>>> >From TOP:
>>>>>> 31178 wcrobert 20 0 812552 751940 1628 R 100.0 4.6 4:47.36
>>>>>> checkpolicy
>>>>>>
>>>>>> On Thu, Oct 13, 2016 at 4:37 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
>>>>>>> On 10/13/2016 03:28 PM, Roberts, William C wrote:
>>>>>>>> I was looking back at my speedup patch for nodups specs…
>>>>>>>>
>>>>>>>> http://marc.info/?l=selinux&m=147249024230263&w=2
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> I was testing before with a large, generated file_context file. I was
>>>>>>>> wondering what would be a good source for
>>>>>>>>
>>>>>>>> A desktop version of a file_contexts (textual preference as I can run
>>>>>>>> sefcontext_compile on it) file as well as a binary
>>>>>>>>
>>>>>>>> policy file….
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Should I just use refpolicy?
>>>>>>>
>>>>>>> That's probably fine, unless you happen to have Fedora installed and can
>>>>>>> just use its file_contexts file.
>>>>>>>
>>>>>>> $ cd refpolicy
>>>>>>> $ make MONOLITHIC=y conf
>>>>>>> $ make MONOLITHIC=y file_contexts
>>>>>>> $ wc -l file_contexts
>>>>>>> 4908 file_contexts
>>>>>>> $ wc -l /etc/selinux/targeted/contexts/files/file_contexts
>>>>>>> 6075 /etc/selinux/targeted/contexts/files/file_contexts
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Selinux mailing list
>>>>>>> Selinux@tycho.nsa.gov
>>>>>>> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
>>>>>>> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Respectfully,
>>>>
>>>> William C Roberts
>>>
>>>
>>>
>>> --
>>> Respectfully,
>>>
>>> William C Roberts
>>
>>
>>
>
--
Respectfully,
William C Roberts
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: speeding up nodups_specs, need large fc file.
2016-10-14 14:32 ` Stephen Smalley
2016-10-14 14:32 ` William Roberts
@ 2016-10-14 14:36 ` Stephen Smalley
1 sibling, 0 replies; 11+ messages in thread
From: Stephen Smalley @ 2016-10-14 14:36 UTC (permalink / raw)
To: William Roberts; +Cc: selinux
On 10/14/2016 10:32 AM, Stephen Smalley wrote:
> On 10/14/2016 10:15 AM, William Roberts wrote:
>> Is it to be expected that checkfc would actually fail on refpolicy?
>>
>> $ ./checkfc ../refpolicy/policy.30 ../refpolicy/file_contexts
>> Error: "fs_type" is not defined in this policy.
>>
>> I could comment out the validation callback... but just wondering if
>> this is expected.
>
> Yes, you hardcoded Android-specific type attributes in checkfc,
> remember? That's fine since it is an Android-only tool. In Linux, we
> just runs setfiles -c /path/to/policy /path/to/file_contexts to do the
> same thing, or these days sefcontext_compile -p /path/to/policy
> /path/to/file_contexts will validate it.
Or if you want a test program that just processes file_contexts and
looks up an entry, you can use selabel_lookup or matchpathcon from
libselinux/utils.
>
>>
>>
>> On Fri, Oct 14, 2016 at 9:08 AM, William Roberts
>> <bill.c.roberts@gmail.com> wrote:
>>> Yeah I just exported CHECKPOLICY to be the one from the AOSP tree and
>>> it only took 4 seconds.
>>>
>>> On Fri, Oct 14, 2016 at 9:07 AM, William Roberts
>>> <bill.c.roberts@gmail.com> wrote:
>>>> Likely not, I see it compiling version 29 and I am on ubuntu which is
>>>> way out of date with this stuff... should I just use the checkpolicy
>>>> from my AOSP tree?
>>>>
>>>> Or should I just install with some particular set of options from
>>>> selinux master repo?
>>>>
>>>> On Fri, Oct 14, 2016 at 9:06 AM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
>>>>> On 10/14/2016 09:02 AM, William Roberts wrote:
>>>>>> Looks like make MONOLITHIC=y policy to get the binary policy file....
>>>>>>
>>>>>> Is it normal for checkpolicy to take 5 minutes?
>>>>>
>>>>> No, at least not with a modern checkpolicy. Are you using a current
>>>>> version?
>>>>>
>>>>> $ time make MONOLITHIC=y policy
>>>>> Compiling refpolicy policy.30
>>>>> /usr/bin/checkpolicy -U deny policy.conf -o policy.30
>>>>> /usr/bin/checkpolicy: loading policy configuration from policy.conf
>>>>> /usr/bin/checkpolicy: policy configuration loaded
>>>>> /usr/bin/checkpolicy: writing binary representation (version 30) to
>>>>> policy.30
>>>>>
>>>>> real 0m3.341s
>>>>> user 0m3.280s
>>>>> sys 0m0.061s
>>>>>
>>>>>>
>>>>>> >From TOP:
>>>>>> 31178 wcrobert 20 0 812552 751940 1628 R 100.0 4.6 4:47.36
>>>>>> checkpolicy
>>>>>>
>>>>>> On Thu, Oct 13, 2016 at 4:37 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
>>>>>>> On 10/13/2016 03:28 PM, Roberts, William C wrote:
>>>>>>>> I was looking back at my speedup patch for nodups specs…
>>>>>>>>
>>>>>>>> http://marc.info/?l=selinux&m=147249024230263&w=2
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> I was testing before with a large, generated file_context file. I was
>>>>>>>> wondering what would be a good source for
>>>>>>>>
>>>>>>>> A desktop version of a file_contexts (textual preference as I can run
>>>>>>>> sefcontext_compile on it) file as well as a binary
>>>>>>>>
>>>>>>>> policy file….
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Should I just use refpolicy?
>>>>>>>
>>>>>>> That's probably fine, unless you happen to have Fedora installed and can
>>>>>>> just use its file_contexts file.
>>>>>>>
>>>>>>> $ cd refpolicy
>>>>>>> $ make MONOLITHIC=y conf
>>>>>>> $ make MONOLITHIC=y file_contexts
>>>>>>> $ wc -l file_contexts
>>>>>>> 4908 file_contexts
>>>>>>> $ wc -l /etc/selinux/targeted/contexts/files/file_contexts
>>>>>>> 6075 /etc/selinux/targeted/contexts/files/file_contexts
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Selinux mailing list
>>>>>>> Selinux@tycho.nsa.gov
>>>>>>> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
>>>>>>> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Respectfully,
>>>>
>>>> William C Roberts
>>>
>>>
>>>
>>> --
>>> Respectfully,
>>>
>>> William C Roberts
>>
>>
>>
>
^ permalink raw reply [flat|nested] 11+ messages in thread
end of thread, other threads:[~2016-10-14 14:36 UTC | newest]
Thread overview: 11+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-10-13 19:28 speeding up nodups_specs, need large fc file Roberts, William C
2016-10-13 20:37 ` Stephen Smalley
2016-10-14 13:02 ` William Roberts
2016-10-14 13:06 ` Stephen Smalley
2016-10-14 13:07 ` William Roberts
2016-10-14 13:08 ` William Roberts
2016-10-14 14:15 ` William Roberts
2016-10-14 14:32 ` Stephen Smalley
2016-10-14 14:32 ` William Roberts
2016-10-14 14:36 ` Stephen Smalley
2016-10-14 13:10 ` Stephen Smalley
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.