Re: [RFC] Source Policy, CIL, and High Level Languages

From: Stephen Smalley <sds@tycho.nsa.gov>
To: Steve Lawrence <slawrence@tresys.com>,
	Dominick Grift <dominick.grift@gmail.com>
Cc: SELinux List <selinux@tycho.nsa.gov>
Subject: Re: [RFC] Source Policy, CIL, and High Level Languages
Date: Fri, 18 Jul 2014 10:30:42 -0400	[thread overview]
Message-ID: <53C92F92.6070607@tycho.nsa.gov> (raw)
In-Reply-To: <53C91A48.7040704@tresys.com>

On 07/18/2014 08:59 AM, Steve Lawrence wrote:
> There isn't currently a way to extract policy from the store, but that
> has been a use case that has been discussed in the past. Something like
> the following could be useful:
> 
> semodule --priority 400 --extract foo # outputs to foo.<hll>
> edit foo.<hll>
> semodule --priority 500 --install foo.<hll>
> 
> So there could be cases in the future where it could be convenient to
> keep the HLL files around.

Sure, for source modules.  For pp files, though?

> Another option to reduce disk usage could be to disable caching of the
> CIL files (right now, we only have an option to ignore the cached
> files). This way, the user could still do the above and edit hll files
> without having to rely on them being accessible from somewhere else.
> Though, this would incur a penalty of having to recompile HLL files for
> every change (which in my tests, about doubles compilation time).

Seems less useful than being able to disable storage of the HLL files.
No penalty incurred, you just have to know that you won't need them
again or that they will remain available externally.

>> More generally, if the user knows that the hll module is going to be
>> saved elsewhere, then there is no reason to retain a copy in the policy
>> store, so having the option of dropping the hll version, either for all
>> modules or for specific modules, seems useful.
> 
> Do you see this feature as necessary for this patchset to be upstreamed,
> or is this something we could add as a later update?

Not absolutely required, just wondering if we might encounter issues
with migration on some systems due to insufficient space.  We'll
actually have 3 copies of each module, 2 pp files (one still in
/etc/selinux/targeted/modules, not deleted by the migration script) and
1 cil file.  Plus all of the copying that occurs during the transaction
and installation of the files (-> /var/lib/selinux/targeted/tmp, ->
/var/lib/selinux/tmp/targeted?, -> /etc/selinux/targeted).  Any idea
what the max storage requirement for successful migration relative to
the original size of the policy store?