LinuxLists.cc - [refpolicy] [PATCH 0/4 v2] Create non_auth_file_type attribute and some eliminate set expressions

2012-04-25 14:25:35

Subject: [refpolicy] [PATCH 0/4 v2] Create non_auth_file_type attribute and some eliminate set expressions

This patch set reduces the binary policy size on my system from 4.7M to
2.1M with sediff showing no changes other than the addition of the new
attribute. This patch set also makes Refpolicy easier to convert to CIL.

It does this by eliminating some set expressions related to file
accesses. A new type attribute called non_auth_file_type is created
along with interfaces to allow access to files with this attribute.
These alternative interfaces can be used instead of the
*_except_auth_files interfaces which use a set expression that expands
into a large number of rules.

In this version of the patch set:
- White space errors have been corrected (I think)
- The new interfaces in files.if have been put together and placed
before the configuration file interfaces.
- Renamed the files_read_non_auth_dirs to be files_list_non_auth_dirs.
- Changed the authlogin.if interfaces to use the new interfaces and
deprecated them.

--
James Carter <[email protected]>
National Security Agency

2012-05-04 13:15:56

by cpebenito

[permalink] [raw]

Subject: [refpolicy] [PATCH 0/4 v2] Create non_auth_file_type attribute and some eliminate set expressions

On 04/25/12 10:25, James Carter wrote:
> This patch set reduces the binary policy size on my system from 4.7M to
> 2.1M with sediff showing no changes other than the addition of the new
> attribute. This patch set also makes Refpolicy easier to convert to CIL.
>
> It does this by eliminating some set expressions related to file
> accesses. A new type attribute called non_auth_file_type is created
> along with interfaces to allow access to files with this attribute.
> These alternative interfaces can be used instead of the
> *_except_auth_files interfaces which use a set expression that expands
> into a large number of rules.
>
> In this version of the patch set:
> - White space errors have been corrected (I think)
> - The new interfaces in files.if have been put together and placed
> before the configuration file interfaces.
> - Renamed the files_read_non_auth_dirs to be files_list_non_auth_dirs.
> - Changed the authlogin.if interfaces to use the new interfaces and
> deprecated them.

This set is merged.

--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com