On Wed, 2010-10-13 at 10:17 -0400, Eric Paris wrote: > On Wed, 2010-10-13 at 09:20 -0400, Eric Paris wrote: > > On Tue, 2010-07-27 at 14:39 -0400, Stephen Smalley wrote: > > > > Yes, I'd be in favor of that. Just define the rangetr_cmp function in > > > the kernel to truly order the entries at load time and sort them in the > > > same manner in libsepol before writing. > > > > Started working on this yesterday and still don't have a bit for bit > > identical policy. > > [snip] > > > These two show that the files are now identical outside of the avtab > > entries. Now I'm trying to figure out why the avtab entries are not the > > same. Anyone have guesses off the top of their head? > > My first thought is that the avtab was allocated in expand_avtab() for > the policy.25 and thus was done with an expected # of rules equal to > MAX_AVTAB_SIZE, whereas the kernel builds a 'correctly' sized avtab > since it knows the correct number of rules. If this is the case it > explains how things would get put in different buckets and we end up > with the same policy, but different ordering. > > If this is the case (which seems likely) I'm wondering the best way to > fix this. I don't really want to have to rebuild the userspace avtable > a second time just to get final ordering (as if userspace wasn't slow > enough) but we can't size the avtab correctly during expand either... Easy enough to fix. The kernel has MAX_HASH_BUCKETS = 1<<10 (I think it was intended to be 11) whereas usespace was doing MAX_HASH_BUCKETS = 1<<12 (again I think the intention was 13) But maxing userspace out at 10 like the kernel I now have a bit for bit exact replica coming back out of the kernel with my policydb write patch. I'll work on cleaning everything up (including the MAX_HASH_BUCKETS thing I don't quite understand) and post some patches. -Eric -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
