From: Eric Paris <eparis@redhat.com>
To: Stephen Smalley <sds@tycho.nsa.gov>
Cc: selinux@tycho.nsa.gov, jmorris@namei.org, kaigai@kaigai.gr.jp,
method@manicmethod.com
Subject: Re: [PATCH 1/2] SELinux: allow userspace to read policy back out of the kernel
Date: Wed, 13 Oct 2010 10:17:43 -0400 [thread overview]
Message-ID: <1286979463.2614.31.camel@localhost.localdomain> (raw)
In-Reply-To: <1286976052.2614.24.camel@localhost.localdomain>
On Wed, 2010-10-13 at 09:20 -0400, Eric Paris wrote:
> On Tue, 2010-07-27 at 14:39 -0400, Stephen Smalley wrote:
> > Yes, I'd be in favor of that. Just define the rangetr_cmp function in
> > the kernel to truly order the entries at load time and sort them in the
> > same manner in libsepol before writing.
>
> Started working on this yesterday and still don't have a bit for bit
> identical policy.
[snip]
> These two show that the files are now identical outside of the avtab
> entries. Now I'm trying to figure out why the avtab entries are not the
> same. Anyone have guesses off the top of their head?
My first thought is that the avtab was allocated in expand_avtab() for
the policy.25 and thus was done with an expected # of rules equal to
MAX_AVTAB_SIZE, whereas the kernel builds a 'correctly' sized avtab
since it knows the correct number of rules. If this is the case it
explains how things would get put in different buckets and we end up
with the same policy, but different ordering.
If this is the case (which seems likely) I'm wondering the best way to
fix this. I don't really want to have to rebuild the userspace avtable
a second time just to get final ordering (as if userspace wasn't slow
enough) but we can't size the avtab correctly during expand either...
-Eric
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2010-10-13 14:17 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-07-26 19:34 [PATCH 1/2] SELinux: allow userspace to read policy back out of the kernel Eric Paris
2010-07-26 19:34 ` [PATCH 2/2] selinux: implement mmap on /selinux/policy Eric Paris
2010-07-27 16:47 ` Stephen Smalley
2010-07-27 16:50 ` Eric Paris
2010-07-27 18:36 ` Stephen Smalley
2010-07-27 18:51 ` Eric Paris
2010-07-27 19:09 ` Stephen Smalley
2010-07-27 19:16 ` Eric Paris
2010-07-27 19:20 ` Stephen Smalley
2010-07-27 19:24 ` Eric Paris
2010-07-27 19:28 ` Stephen Smalley
2010-07-27 20:24 ` Eric Paris
2010-07-29 12:50 ` Stephen Smalley
2010-07-29 17:58 ` Eric Paris
2010-07-26 20:48 ` [PATCH 1/2] SELinux: allow userspace to read policy back out of the kernel Stephen Smalley
2010-07-27 18:11 ` Eric Paris
2010-07-27 18:39 ` Stephen Smalley
2010-10-13 13:20 ` Eric Paris
2010-10-13 14:17 ` Eric Paris [this message]
2010-10-13 19:15 ` Eric Paris
2010-07-27 18:31 ` Stephen Smalley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1286979463.2614.31.camel@localhost.localdomain \
--to=eparis@redhat.com \
--cc=jmorris@namei.org \
--cc=kaigai@kaigai.gr.jp \
--cc=method@manicmethod.com \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.