This patch set reduces the binary policy size on my system from 4.7M to
2.1M with sediff showing no changes other than the addition of the new
attribute. This patch set will also make Refpolicy better suited to be
converted to CIL.
It does this by eliminating some set expressions related to file
accesses. Specifically, it creates alternative interfaces that can be
used instead of auth_read_all_*_except_auth_files,
auth_manage_all_files_except_auth_files, and
auth_relabel_all_files_except_auth_files. These alternative interfaces
rely on the newly created non_auth_file_type attribute instead of a set
expression.
Chris, a couple of notes:
1) I didn't do anything with the old interfaces, and nothing uses them
now in Refpolicy, so they could be deprecated if you would like.
2) The only thing that is an authentication file type is shadow_t and
there are specific interfaces for allowing access to shadow_t. Perhaps
creating interfaces for auth files and deprecating the shadow specific
ones would be the right thing to do in the future. Obviously, this is
not a pressing need.
--
James Carter <[email protected]>
National Security Agency