SELinux Archive on lore.kernel.org
 help / Atom feed
From: jwcart2 <jwcart2@tycho.nsa.gov>
To: Ondrej Mosnacek <omosnace@redhat.com>
Cc: SElinux list <selinux@vger.kernel.org>
Subject: Re: [Non-DoD Source] [PATCH userspace v4 2/4] libsemanage: optionally optimize policy on rebuild
Date: Fri, 14 Jun 2019 09:38:50 -0400
Message-ID: <2721d28c-c07c-2893-0443-4919cc5e2494@tycho.nsa.gov> (raw)
In-Reply-To: <CAFqZXNsgRTcH_=AUWNeGTdVNwBSDpw6EG9xu4B8uQJwa7zJdPA@mail.gmail.com>

On 6/14/19 6:18 AM, Ondrej Mosnacek wrote:
> On Thu, Jun 13, 2019 at 9:51 PM jwcart2 <jwcart2@tycho.nsa.gov> wrote:
>> On 6/13/19 7:45 AM, Ondrej Mosnacek wrote:
>>> When building binary policy, optionally run it through
>>> sepol_policydb_optimize() just before writing it out.
>>>
>>> Add an optimize-policy variable to semanage.conf(5) that controls
>>
>> Sorry I didn't notice this in v3, but why not use "optimize" instead of
>> "optimize-policy"?
> 
> Since this is in a global libsemanage config file, I thought it would
> be better if the name described also what is being optimized. In
> secilc or checkpolicy it is more or less obvious; in the config file
> it can't hurt to be more specific, IMHO.
> 

Ok. I just wanted to make sure we had thought about it.

Jim

>>
>> Jim
>>
>>> whether optimization will be applied during libsemanage operations.
>>>
>>> Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
>>> ---
>>>    libsemanage/man/man5/semanage.conf.5 |  5 +++++
>>>    libsemanage/src/conf-parse.y         | 15 ++++++++++++++-
>>>    libsemanage/src/conf-scan.l          |  1 +
>>>    libsemanage/src/direct_api.c         |  7 +++++++
>>>    libsemanage/src/semanage_conf.h      |  1 +
>>>    5 files changed, 28 insertions(+), 1 deletion(-)
>>>
>>> diff --git a/libsemanage/man/man5/semanage.conf.5 b/libsemanage/man/man5/semanage.conf.5
>>> index 8f8de55a..8efc7dd5 100644
>>> --- a/libsemanage/man/man5/semanage.conf.5
>>> +++ b/libsemanage/man/man5/semanage.conf.5
>>> @@ -121,6 +121,11 @@ and by default it is set to "false".
>>>    Please note that since this option deletes all HLL files, an updated HLL compiler will not be able to recompile the original HLL file into CIL.
>>>    In order to compile the original HLL file into CIL, the same HLL file will need to be reinstalled.
>>>
>>> +.TP
>>> +.B optimize-policy
>>> +When set to "true", the kernel policy will be optimized upon rebuilds.
>>> +It can be set to either "true" or "false" and by default it is set to "false".
>>> +
>>>    .SH "SEE ALSO"
>>>    .TP
>>>    semanage(8)
>>> diff --git a/libsemanage/src/conf-parse.y b/libsemanage/src/conf-parse.y
>>> index b527e893..9bf9364a 100644
>>> --- a/libsemanage/src/conf-parse.y
>>> +++ b/libsemanage/src/conf-parse.y
>>> @@ -59,7 +59,7 @@ static int parse_errors;
>>>            char *s;
>>>    }
>>>
>>> -%token MODULE_STORE VERSION EXPAND_CHECK FILE_MODE SAVE_PREVIOUS SAVE_LINKED TARGET_PLATFORM COMPILER_DIR IGNORE_MODULE_CACHE STORE_ROOT
>>> +%token MODULE_STORE VERSION EXPAND_CHECK FILE_MODE SAVE_PREVIOUS SAVE_LINKED TARGET_PLATFORM COMPILER_DIR IGNORE_MODULE_CACHE STORE_ROOT OPTIMIZE_POLICY
>>>    %token LOAD_POLICY_START SETFILES_START SEFCONTEXT_COMPILE_START DISABLE_GENHOMEDIRCON HANDLE_UNKNOWN USEPASSWD IGNOREDIRS
>>>    %token BZIP_BLOCKSIZE BZIP_SMALL REMOVE_HLL
>>>    %token VERIFY_MOD_START VERIFY_LINKED_START VERIFY_KERNEL_START BLOCK_END
>>> @@ -95,6 +95,7 @@ single_opt:     module_store
>>>        |       bzip_blocksize
>>>        |       bzip_small
>>>        |       remove_hll
>>> +     |       optimize_policy
>>>            ;
>>>
>>>    module_store:   MODULE_STORE '=' ARG {
>>> @@ -268,6 +269,17 @@ remove_hll:  REMOVE_HLL'=' ARG {
>>>        free($3);
>>>    }
>>>
>>> +optimize_policy:  OPTIMIZE_POLICY '=' ARG {
>>> +     if (strcasecmp($3, "false") == 0) {
>>> +             current_conf->optimize_policy = 0;
>>> +     } else if (strcasecmp($3, "true") == 0) {
>>> +             current_conf->optimize_policy = 1;
>>> +     } else {
>>> +             yyerror("optimize-policy can only be 'true' or 'false'");
>>> +     }
>>> +     free($3);
>>> +}
>>> +
>>>    command_block:
>>>                    command_start external_opts BLOCK_END  {
>>>                            if (new_external->path == NULL) {
>>> @@ -352,6 +364,7 @@ static int semanage_conf_init(semanage_conf_t * conf)
>>>        conf->bzip_small = 0;
>>>        conf->ignore_module_cache = 0;
>>>        conf->remove_hll = 0;
>>> +     conf->optimize_policy = 0;
>>>
>>>        conf->save_previous = 0;
>>>        conf->save_linked = 0;
>>> diff --git a/libsemanage/src/conf-scan.l b/libsemanage/src/conf-scan.l
>>> index 607bbf0b..b06a896c 100644
>>> --- a/libsemanage/src/conf-scan.l
>>> +++ b/libsemanage/src/conf-scan.l
>>> @@ -54,6 +54,7 @@ handle-unknown    return HANDLE_UNKNOWN;
>>>    bzip-blocksize      return BZIP_BLOCKSIZE;
>>>    bzip-small  return BZIP_SMALL;
>>>    remove-hll  return REMOVE_HLL;
>>> +optimize-policy return OPTIMIZE_POLICY;
>>>    "[load_policy]"   return LOAD_POLICY_START;
>>>    "[setfiles]"      return SETFILES_START;
>>>    "[sefcontext_compile]"      return SEFCONTEXT_COMPILE_START;
>>> diff --git a/libsemanage/src/direct_api.c b/libsemanage/src/direct_api.c
>>> index c58961be..0153091f 100644
>>> --- a/libsemanage/src/direct_api.c
>>> +++ b/libsemanage/src/direct_api.c
>>> @@ -1461,6 +1461,13 @@ rebuild:
>>>
>>>                cil_db_destroy(&cildb);
>>>
>>> +             /* Remove redundancies in binary policy if requested. */
>>> +             if (sh->conf->optimize_policy) {
>>> +                     retval = sepol_policydb_optimize(out);
>>> +                     if (retval < 0)
>>> +                             goto cleanup;
>>> +             }
>>> +
>>>                /* Write the linked policy before merging local changes. */
>>>                retval = semanage_write_policydb(sh, out,
>>>                                                 SEMANAGE_LINKED);
>>> diff --git a/libsemanage/src/semanage_conf.h b/libsemanage/src/semanage_conf.h
>>> index c99ac8c7..23c4b8b4 100644
>>> --- a/libsemanage/src/semanage_conf.h
>>> +++ b/libsemanage/src/semanage_conf.h
>>> @@ -47,6 +47,7 @@ typedef struct semanage_conf {
>>>        int bzip_small;
>>>        int remove_hll;
>>>        int ignore_module_cache;
>>> +     int optimize_policy;
>>>        char *ignoredirs;       /* ";" separated of list for genhomedircon to ignore */
>>>        struct external_prog *load_policy;
>>>        struct external_prog *setfiles;
>>>
>>
>>
>> --
>> James Carter <jwcart2@tycho.nsa.gov>
>> National Security Agency
> 
> 
> 
> --
> Ondrej Mosnacek <omosnace at redhat dot com>
> Software Engineer, Security Technologies
> Red Hat, Inc.
> 


-- 
James Carter <jwcart2@tycho.nsa.gov>
National Security Agency

  reply index

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-06-13 11:45 [PATCH userspace v4 0/4] Remove redundant rules when building policydb Ondrej Mosnacek
2019-06-13 11:45 ` [PATCH userspace v4 1/4] libsepol: add a function to optimize kernel policy Ondrej Mosnacek
2019-06-13 11:45 ` [PATCH userspace v4 2/4] libsemanage: optionally optimize policy on rebuild Ondrej Mosnacek
2019-06-13 19:51   ` [Non-DoD Source] " jwcart2
2019-06-14 10:18     ` Ondrej Mosnacek
2019-06-14 13:38       ` jwcart2 [this message]
2019-06-13 11:45 ` [PATCH userspace v4 3/4] secilc: add flag to enable policy optimization Ondrej Mosnacek
2019-06-13 11:45 ` [PATCH userspace v4 4/4] checkpolicy: " Ondrej Mosnacek

Reply instructions:

You may reply publically to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=2721d28c-c07c-2893-0443-4919cc5e2494@tycho.nsa.gov \
    --to=jwcart2@tycho.nsa.gov \
    --cc=omosnace@redhat.com \
    --cc=selinux@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

SELinux Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/selinux/0 selinux/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 selinux selinux/ https://lore.kernel.org/selinux \
		selinux@vger.kernel.org selinux@archiver.kernel.org
	public-inbox-index selinux


Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.selinux


AGPL code for this site: git clone https://public-inbox.org/ public-inbox