From: jwcart2 <jwcart2@tycho.nsa.gov>
To: Ondrej Mosnacek <omosnace@redhat.com>
Cc: SElinux list <selinux@vger.kernel.org>
Subject: Re: [Non-DoD Source] [PATCH userspace v4 2/4] libsemanage: optionally optimize policy on rebuild
Date: Fri, 14 Jun 2019 09:38:50 -0400 [thread overview]
Message-ID: <2721d28c-c07c-2893-0443-4919cc5e2494@tycho.nsa.gov> (raw)
In-Reply-To: <CAFqZXNsgRTcH_=AUWNeGTdVNwBSDpw6EG9xu4B8uQJwa7zJdPA@mail.gmail.com>
On 6/14/19 6:18 AM, Ondrej Mosnacek wrote:
> On Thu, Jun 13, 2019 at 9:51 PM jwcart2 <jwcart2@tycho.nsa.gov> wrote:
>> On 6/13/19 7:45 AM, Ondrej Mosnacek wrote:
>>> When building binary policy, optionally run it through
>>> sepol_policydb_optimize() just before writing it out.
>>>
>>> Add an optimize-policy variable to semanage.conf(5) that controls
>>
>> Sorry I didn't notice this in v3, but why not use "optimize" instead of
>> "optimize-policy"?
>
> Since this is in a global libsemanage config file, I thought it would
> be better if the name described also what is being optimized. In
> secilc or checkpolicy it is more or less obvious; in the config file
> it can't hurt to be more specific, IMHO.
>
Ok. I just wanted to make sure we had thought about it.
Jim
>>
>> Jim
>>
>>> whether optimization will be applied during libsemanage operations.
>>>
>>> Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
>>> ---
>>> libsemanage/man/man5/semanage.conf.5 | 5 +++++
>>> libsemanage/src/conf-parse.y | 15 ++++++++++++++-
>>> libsemanage/src/conf-scan.l | 1 +
>>> libsemanage/src/direct_api.c | 7 +++++++
>>> libsemanage/src/semanage_conf.h | 1 +
>>> 5 files changed, 28 insertions(+), 1 deletion(-)
>>>
>>> diff --git a/libsemanage/man/man5/semanage.conf.5 b/libsemanage/man/man5/semanage.conf.5
>>> index 8f8de55a..8efc7dd5 100644
>>> --- a/libsemanage/man/man5/semanage.conf.5
>>> +++ b/libsemanage/man/man5/semanage.conf.5
>>> @@ -121,6 +121,11 @@ and by default it is set to "false".
>>> Please note that since this option deletes all HLL files, an updated HLL compiler will not be able to recompile the original HLL file into CIL.
>>> In order to compile the original HLL file into CIL, the same HLL file will need to be reinstalled.
>>>
>>> +.TP
>>> +.B optimize-policy
>>> +When set to "true", the kernel policy will be optimized upon rebuilds.
>>> +It can be set to either "true" or "false" and by default it is set to "false".
>>> +
>>> .SH "SEE ALSO"
>>> .TP
>>> semanage(8)
>>> diff --git a/libsemanage/src/conf-parse.y b/libsemanage/src/conf-parse.y
>>> index b527e893..9bf9364a 100644
>>> --- a/libsemanage/src/conf-parse.y
>>> +++ b/libsemanage/src/conf-parse.y
>>> @@ -59,7 +59,7 @@ static int parse_errors;
>>> char *s;
>>> }
>>>
>>> -%token MODULE_STORE VERSION EXPAND_CHECK FILE_MODE SAVE_PREVIOUS SAVE_LINKED TARGET_PLATFORM COMPILER_DIR IGNORE_MODULE_CACHE STORE_ROOT
>>> +%token MODULE_STORE VERSION EXPAND_CHECK FILE_MODE SAVE_PREVIOUS SAVE_LINKED TARGET_PLATFORM COMPILER_DIR IGNORE_MODULE_CACHE STORE_ROOT OPTIMIZE_POLICY
>>> %token LOAD_POLICY_START SETFILES_START SEFCONTEXT_COMPILE_START DISABLE_GENHOMEDIRCON HANDLE_UNKNOWN USEPASSWD IGNOREDIRS
>>> %token BZIP_BLOCKSIZE BZIP_SMALL REMOVE_HLL
>>> %token VERIFY_MOD_START VERIFY_LINKED_START VERIFY_KERNEL_START BLOCK_END
>>> @@ -95,6 +95,7 @@ single_opt: module_store
>>> | bzip_blocksize
>>> | bzip_small
>>> | remove_hll
>>> + | optimize_policy
>>> ;
>>>
>>> module_store: MODULE_STORE '=' ARG {
>>> @@ -268,6 +269,17 @@ remove_hll: REMOVE_HLL'=' ARG {
>>> free($3);
>>> }
>>>
>>> +optimize_policy: OPTIMIZE_POLICY '=' ARG {
>>> + if (strcasecmp($3, "false") == 0) {
>>> + current_conf->optimize_policy = 0;
>>> + } else if (strcasecmp($3, "true") == 0) {
>>> + current_conf->optimize_policy = 1;
>>> + } else {
>>> + yyerror("optimize-policy can only be 'true' or 'false'");
>>> + }
>>> + free($3);
>>> +}
>>> +
>>> command_block:
>>> command_start external_opts BLOCK_END {
>>> if (new_external->path == NULL) {
>>> @@ -352,6 +364,7 @@ static int semanage_conf_init(semanage_conf_t * conf)
>>> conf->bzip_small = 0;
>>> conf->ignore_module_cache = 0;
>>> conf->remove_hll = 0;
>>> + conf->optimize_policy = 0;
>>>
>>> conf->save_previous = 0;
>>> conf->save_linked = 0;
>>> diff --git a/libsemanage/src/conf-scan.l b/libsemanage/src/conf-scan.l
>>> index 607bbf0b..b06a896c 100644
>>> --- a/libsemanage/src/conf-scan.l
>>> +++ b/libsemanage/src/conf-scan.l
>>> @@ -54,6 +54,7 @@ handle-unknown return HANDLE_UNKNOWN;
>>> bzip-blocksize return BZIP_BLOCKSIZE;
>>> bzip-small return BZIP_SMALL;
>>> remove-hll return REMOVE_HLL;
>>> +optimize-policy return OPTIMIZE_POLICY;
>>> "[load_policy]" return LOAD_POLICY_START;
>>> "[setfiles]" return SETFILES_START;
>>> "[sefcontext_compile]" return SEFCONTEXT_COMPILE_START;
>>> diff --git a/libsemanage/src/direct_api.c b/libsemanage/src/direct_api.c
>>> index c58961be..0153091f 100644
>>> --- a/libsemanage/src/direct_api.c
>>> +++ b/libsemanage/src/direct_api.c
>>> @@ -1461,6 +1461,13 @@ rebuild:
>>>
>>> cil_db_destroy(&cildb);
>>>
>>> + /* Remove redundancies in binary policy if requested. */
>>> + if (sh->conf->optimize_policy) {
>>> + retval = sepol_policydb_optimize(out);
>>> + if (retval < 0)
>>> + goto cleanup;
>>> + }
>>> +
>>> /* Write the linked policy before merging local changes. */
>>> retval = semanage_write_policydb(sh, out,
>>> SEMANAGE_LINKED);
>>> diff --git a/libsemanage/src/semanage_conf.h b/libsemanage/src/semanage_conf.h
>>> index c99ac8c7..23c4b8b4 100644
>>> --- a/libsemanage/src/semanage_conf.h
>>> +++ b/libsemanage/src/semanage_conf.h
>>> @@ -47,6 +47,7 @@ typedef struct semanage_conf {
>>> int bzip_small;
>>> int remove_hll;
>>> int ignore_module_cache;
>>> + int optimize_policy;
>>> char *ignoredirs; /* ";" separated of list for genhomedircon to ignore */
>>> struct external_prog *load_policy;
>>> struct external_prog *setfiles;
>>>
>>
>>
>> --
>> James Carter <jwcart2@tycho.nsa.gov>
>> National Security Agency
>
>
>
> --
> Ondrej Mosnacek <omosnace at redhat dot com>
> Software Engineer, Security Technologies
> Red Hat, Inc.
>
--
James Carter <jwcart2@tycho.nsa.gov>
National Security Agency
next prev parent reply other threads:[~2019-06-14 13:37 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-06-13 11:45 [PATCH userspace v4 0/4] Remove redundant rules when building policydb Ondrej Mosnacek
2019-06-13 11:45 ` [PATCH userspace v4 1/4] libsepol: add a function to optimize kernel policy Ondrej Mosnacek
2019-06-13 11:45 ` [PATCH userspace v4 2/4] libsemanage: optionally optimize policy on rebuild Ondrej Mosnacek
2019-06-13 19:51 ` [Non-DoD Source] " jwcart2
2019-06-14 10:18 ` Ondrej Mosnacek
2019-06-14 13:38 ` jwcart2 [this message]
2019-06-13 11:45 ` [PATCH userspace v4 3/4] secilc: add flag to enable policy optimization Ondrej Mosnacek
2019-06-13 11:45 ` [PATCH userspace v4 4/4] checkpolicy: " Ondrej Mosnacek
2019-06-21 14:11 ` [Non-DoD Source] [PATCH userspace v4 0/4] Remove redundant rules when building policydb jwcart2
2019-06-25 15:01 ` jwcart2
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2721d28c-c07c-2893-0443-4919cc5e2494@tycho.nsa.gov \
--to=jwcart2@tycho.nsa.gov \
--cc=omosnace@redhat.com \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).