Re: [PATCH 0/3] libsepol: Speed up policy optimization

[Stephen Smalley <stephen.smalley.work@gmail.com>]

On Mon, Mar 2, 2020 at 9:50 AM Stephen Smalley
<stephen.smalley.work@gmail.com> wrote:
>
> On Fri, Feb 28, 2020 at 1:08 PM Stephen Smalley
> <stephen.smalley.work@gmail.com> wrote:
> >
> > On Thu, Feb 27, 2020 at 11:03 AM Ondrej Mosnacek <omosnace@redhat.com> wrote:
> > >
> > > This series contains two small changes (these don't seem to affect
> > > performance measurably, but are nonetheless logical) and a patch that
> > > changes how the policy optimization "type_map" helper structure is
> > > represented, which speeds up the whole process.
> > >
> > > Ondrej Mosnacek (3):
> > >   libsepol: skip unnecessary check in build_type_map()
> > >   libsepol: optimize inner loop in build_type_map()
> > >   libsepol: speed up policy optimization
> >
> > Not a comment on the patches themselves, but this made me wonder if
> > the optimization support is actually tested by our travis
> > configuration.
> > Doesn't appear to be (e.g. no usage of -O/--optimize or semanage.conf
> > with optimize-policy true).
>
> Adding optimize-policy = true to /etc/selinux/semanage.conf and
> running semodule -BN before and after these patches yields different
> binary kernel policy files (policy.32).
> Is that expected?

Here is one example difference between the policies, along with what
was present in the original unoptimized policy:
$ sesearch -A -s guest_t -t guest_t -c context -p contains policy.32.unoptimized
allow guest_t guest_t:context contains;
allow guest_usertype guest_usertype:context contains;

$ sesearch -A -s guest_t -t guest_t -c context -p contains
policy.32.optimizedbefore
allow guest_t guest_t:context contains;

$ sesearch -A -s guest_t -t guest_t -c context -p contains
policy.32.optimizedafter
allow guest_usertype guest_usertype:context contains;

Seems like the code prior to these changes yielded a more optimal
policy since guest_usertype only has a single type in it.