From mboxrd@z Thu Jan 1 00:00:00 1970 Subject: Re: [PATCH 1/2] SELinux: allow userspace to read policy back out of the kernel From: Eric Paris To: Stephen Smalley Cc: selinux@tycho.nsa.gov, jmorris@namei.org, kaigai@kaigai.gr.jp, method@manicmethod.com In-Reply-To: <1286979463.2614.31.camel@localhost.localdomain> References: <20100726193407.19538.67667.stgit@paris.rdu.redhat.com> <1280177335.17036.5.camel@moss-pluto.epoch.ncsc.mil> <1280254278.2788.7.camel@dhcp231-200.rdu.redhat.com> <1280255967.4789.87.camel@moss-pluto.epoch.ncsc.mil> <1286976052.2614.24.camel@localhost.localdomain> <1286979463.2614.31.camel@localhost.localdomain> Content-Type: text/plain; charset="UTF-8" Date: Wed, 13 Oct 2010 15:15:42 -0400 Message-ID: <1286997342.2614.35.camel@localhost.localdomain> Mime-Version: 1.0 Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov On Wed, 2010-10-13 at 10:17 -0400, Eric Paris wrote: > On Wed, 2010-10-13 at 09:20 -0400, Eric Paris wrote: > > On Tue, 2010-07-27 at 14:39 -0400, Stephen Smalley wrote: > > > > Yes, I'd be in favor of that. Just define the rangetr_cmp function in > > > the kernel to truly order the entries at load time and sort them in the > > > same manner in libsepol before writing. > > > > Started working on this yesterday and still don't have a bit for bit > > identical policy. > > [snip] > > > These two show that the files are now identical outside of the avtab > > entries. Now I'm trying to figure out why the avtab entries are not the > > same. Anyone have guesses off the top of their head? > > My first thought is that the avtab was allocated in expand_avtab() for > the policy.25 and thus was done with an expected # of rules equal to > MAX_AVTAB_SIZE, whereas the kernel builds a 'correctly' sized avtab > since it knows the correct number of rules. If this is the case it > explains how things would get put in different buckets and we end up > with the same policy, but different ordering. > > If this is the case (which seems likely) I'm wondering the best way to > fix this. I don't really want to have to rebuild the userspace avtable > a second time just to get final ordering (as if userspace wasn't slow > enough) but we can't size the avtab correctly during expand either... Easy enough to fix. The kernel has MAX_HASH_BUCKETS = 1<<10 (I think it was intended to be 11) whereas usespace was doing MAX_HASH_BUCKETS = 1<<12 (again I think the intention was 13) But maxing userspace out at 10 like the kernel I now have a bit for bit exact replica coming back out of the kernel with my policydb write patch. I'll work on cleaning everything up (including the MAX_HASH_BUCKETS thing I don't quite understand) and post some patches. -Eric -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.