Re: [PATCH 0/2] libsepol and checkpolicy: Add ability to expand some attributes in binary policy

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Dominick Grift <dac.override@gmail.com>
To: selinux@tycho.nsa.gov
Subject: Re: [PATCH 0/2] libsepol and checkpolicy: Add ability to expand some attributes in binary policy
Date: Wed, 12 Apr 2017 16:07:13 +0200	[thread overview]
Message-ID: <20170412140713.GC3438@markus> (raw)
In-Reply-To: <e63b48e6-4535-972f-62bd-9ea53a9863e7@tycho.nsa.gov>

[-- Attachment #1: Type: text/plain, Size: 4707 bytes --]

On Wed, Apr 12, 2017 at 09:35:42AM -0400, James Carter wrote:
> On 04/12/2017 09:26 AM, James Carter wrote:
> > On 04/12/2017 02:11 AM, Dominick Grift wrote:
> > > On Tue, Apr 11, 2017 at 01:53:41PM -0400, James Carter wrote:
> > > > The number of type attributes included in the binary policy is becomming a
> > > > performance issue in some cases.
> > > > 
> > > > This patch set more aggressives removes attributes and gives the options to
> > > > expand and remove all auto-generated attributes and all attributes with fewer
> > > > than a given amount of attributes assigned.
> > > > 
> > > > Comparison of the number of attributes remaining in the binary policy
> > > >      mls   normal  android
> > > > org  310     286     255
> > > > old  268     251     130
> > > > max  154      20      17
> > > > min  226     173     119
> > > > def  224     170      80
> > > > gen  221     170      46
> > > > u5   191     112      59
> > > > 
> > > > Org - Number of attributes in the CIL policy
> > > > Old - Results without this patch set
> > > > Max - Remove the maximum number of attributes: "-G -X 9999"
> > > > Min - Remove the minimum number of attributes: "-X 0"
> > > > Def - The new defaults for CIL
> > > > Gen - Just removing auto-generated attributes: "-G"
> > > > U5  - Remove attributes with less than five members: "-X 5"
> > > 
> > > I tried this with my policy:
> > > 
> > > old defaults
> > > 
> > > size: 949K
> > > typeattributes: 765
> > > types: 1420
> > > allow rules: 24812
> > > 
> > > new defaults
> > > 
> > > size: 876K
> > > typeattributes: 641
> > > types: 1418
> > > allow rules: 20998
> > > 
> > > I cannot imagine where the difference went.. every aspect improved. I expected
> > > to see some trade-offs instead here.
> > > 
> > 
> > I hope that the number of types going from 1420 to 1418 is a typo. I don't see
> > how my patch set would remove any types, but, if it is, then that is a problem.
> > 
> 
> I should point out that in all of my testing I have not had sediff report
> any differences in allow rules. The only differences that should be seen
> with this patch set is in the attributes that a type is associated with and
> the attributes that are actually defined in the policy. Any change seen
> outside of the Types and Attribute sections of the sediff output would be a
> bug.
> 
> Jim

Never mind the two types. those were added with local modules. So thats all good.

> 
> > With your dssp1-standard policy, I see:
> > Before         : 1178K, 9938 attributes, and 534 types
> > After (default):  574K, 3209 attributes, and 534 types
> > After (-X5)    :  471K, 2206 attributes, and 534 types
> > 
> > Jim
> > 
> > > > 
> > > > 
> > > > James Carter (2):
> > > >   libsepol/cil: Add ability to expand some attributes in binary policy
> > > >   secilc: Add options to control the expansion of attributes
> > > > 
> > > >  libsepol/cil/include/cil/cil.h     |   2 +
> > > >  libsepol/cil/src/cil.c             |  12 ++
> > > >  libsepol/cil/src/cil_binary.c      | 253 +++++++++++++++++++++++++++----------
> > > >  libsepol/cil/src/cil_internal.h    |   7 +-
> > > >  libsepol/cil/src/cil_post.c        |  32 +++--
> > > >  libsepol/cil/src/cil_resolve_ast.c |  25 ++--
> > > >  libsepol/src/libsepol.map.in       |   2 +
> > > >  secilc/secil2conf.c                |   2 +
> > > >  secilc/secilc.8.xml                |  10 ++
> > > >  secilc/secilc.c                    |  31 ++++-
> > > >  10 files changed, 275 insertions(+), 101 deletions(-)
> > > > 
> > > > --
> > > > 2.7.4
> > > > 
> > > > _______________________________________________
> > > > Selinux mailing list
> > > > Selinux@tycho.nsa.gov
> > > > To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> > > > To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.
> > > 
> > > 
> > > 
> > > _______________________________________________
> > > Selinux mailing list
> > > Selinux@tycho.nsa.gov
> > > To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> > > To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.
> > > 
> > 
> > 
> 
> 
> -- 
> James Carter <jwcart2@tycho.nsa.gov>
> National Security Agency
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.

-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]

next prev parent reply	other threads:[~2017-04-12 14:07 UTC|newest]

Thread overview: 24+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-04-11 17:53 [PATCH 0/2] libsepol and checkpolicy: Add ability to expand some attributes in binary policy James Carter
2017-04-11 17:53 ` [PATCH 1/2] libsepol/cil: " James Carter
2017-04-11 18:37   ` Dominick Grift
2017-04-11 18:46     ` Dominick Grift
2017-04-11 19:17       ` James Carter
2017-04-11 19:33         ` Dominick Grift
2017-04-11 19:37           ` Dominick Grift
2017-04-11 19:13     ` James Carter
2017-04-12 17:27   ` Jeffrey Vander Stoep
2017-04-11 17:53 ` [PATCH 2/2] secilc: Add options to control the expansion of attributes James Carter
2017-04-11 20:31   ` Nicolas Iooss
2017-04-12 13:02     ` James Carter
2017-04-11 19:27 ` [PATCH 0/2] libsepol and checkpolicy: Add ability to expand some attributes in binary policy James Carter
2017-04-11 20:06   ` Jeffrey Vander Stoep
2017-04-11 20:29     ` Dominick Grift
2017-04-12  6:11 ` Dominick Grift
2017-04-12 13:26   ` James Carter
2017-04-12 13:35     ` James Carter
2017-04-12 14:07       ` Dominick Grift [this message]
2017-04-12 13:35     ` Dominick Grift
2017-04-12 18:20       ` James Carter
2017-04-12 19:12         ` Dominick Grift
2017-04-12 20:07           ` James Carter
2017-04-12 20:16             ` Dominick Grift

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20170412140713.GC3438@markus \
    --to=dac.override@gmail.com \
    --cc=selinux@tycho.nsa.gov \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.