SELinux Archive on
 help / color / Atom feed
From: Ondrej Mosnacek <>
Cc: James Carter <>,
	Stephen Smalley <>,
	Chris PeBenito <>,
	Petr Lautrbach <>
Subject: [PATCH v6 0/2] userspace: Implement new format of filename trans rules
Date: Fri, 31 Jul 2020 13:10:33 +0200
Message-ID: <> (raw)

These patches are the userspace side of the following kernel commits:
c3a276111ea2 ("selinux: optimize storage of filename transitions") [1]
430059024389 ("selinux: implement new format of filename transitions") [2].

The first patch changes libsepol's internal representation of filename
transition rules in a way similar to the kernel commit.

The second patch then builds upon that and implements reading and
writing of the new binary policy format that uses this representation
also in the data layout.

See individual patches for more details.

NOTE: This series unfortunately breaks the build of setools. Moreover,
when an existing build of setools dynamically links against the new
libsepol, it segfaults. Sadly, there doesn't seem to be a nice way of
handling this, since setools relies on non-public libsepol policydb
API/ABI. There is a draft PR that adapts setools to these changes here:

See also this discussion about the setools impact:

Changes in v6:
 - simplify the interface of policydb_filetrans_insert()
   - i.e. make it possible to pass NULL to name_alloc to simplify most

Changes in v5:
 - fix comment in filename_trans_read() to not change when being moved
 - fix filename_trans_check_datum()
   - destroy temporary ebitmaps at return
   - actually iterate through datums

Changes in v4:
 - rebased on top of latest master branch

Changes in v3:
 - fixed the change in dispol.c to match the rest of the code
 - renamed the helper functions to use the "_compat" suffix rather than
   "_old" and "_new"

Changes in v2:
 - fixed counting rules when reading the new policy format


Ondrej Mosnacek (2):
  libsepol,checkpolicy: optimize storage of filename transitions
  libsepol: implement POLICYDB_VERSION_COMP_FTRANS

 checkpolicy/policy_define.c                |  49 +---
 checkpolicy/test/dispol.c                  |  20 +-
 libsepol/cil/src/cil_binary.c              |  26 +-
 libsepol/include/sepol/policydb/policydb.h |  18 +-
 libsepol/src/expand.c                      |  56 +---
 libsepol/src/kernel_to_cil.c               |  24 +-
 libsepol/src/kernel_to_conf.c              |  24 +-
 libsepol/src/policydb.c                    | 314 +++++++++++++++++----
 libsepol/src/write.c                       | 101 +++++--
 9 files changed, 433 insertions(+), 199 deletions(-)


             reply index

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-07-31 11:10 Ondrej Mosnacek [this message]
2020-07-31 11:10 ` [PATCH v6 1/2] libsepol,checkpolicy: optimize storage of filename transitions Ondrej Mosnacek
2020-08-03 13:56   ` Stephen Smalley
2020-08-06 12:02     ` Stephen Smalley
2020-07-31 11:10 ` [PATCH v6 2/2] libsepol: implement POLICYDB_VERSION_COMP_FTRANS Ondrej Mosnacek
2020-08-03 13:57   ` Stephen Smalley
2020-08-06 12:03     ` Stephen Smalley

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \ \ \ \ \ \ \ \

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

SELinux Archive on

Archives are clonable:
	git clone --mirror selinux/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 selinux selinux/ \
	public-inbox-index selinux

Example config snippet for mirrors

Newsgroup available over NNTP:

AGPL code for this site: git clone