On 10/14/2016 10:15 AM, William Roberts wrote: > Is it to be expected that checkfc would actually fail on refpolicy? > > $ ./checkfc ../refpolicy/policy.30 ../refpolicy/file_contexts > Error: "fs_type" is not defined in this policy. > > I could comment out the validation callback... but just wondering if > this is expected. Yes, you hardcoded Android-specific type attributes in checkfc, remember? That's fine since it is an Android-only tool. In Linux, we just runs setfiles -c /path/to/policy /path/to/file_contexts to do the same thing, or these days sefcontext_compile -p /path/to/policy /path/to/file_contexts will validate it. > > > On Fri, Oct 14, 2016 at 9:08 AM, William Roberts > <bill.c.roberts@xxxxxxxxx> wrote: >> Yeah I just exported CHECKPOLICY to be the one from the AOSP tree and >> it only took 4 seconds. >> >> On Fri, Oct 14, 2016 at 9:07 AM, William Roberts >> <bill.c.roberts@xxxxxxxxx> wrote: >>> Likely not, I see it compiling version 29 and I am on ubuntu which is >>> way out of date with this stuff... should I just use the checkpolicy >>> from my AOSP tree? >>> >>> Or should I just install with some particular set of options from >>> selinux master repo? >>> >>> On Fri, Oct 14, 2016 at 9:06 AM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: >>>> On 10/14/2016 09:02 AM, William Roberts wrote: >>>>> Looks like make MONOLITHIC=y policy to get the binary policy file.... >>>>> >>>>> Is it normal for checkpolicy to take 5 minutes? >>>> >>>> No, at least not with a modern checkpolicy. Are you using a current >>>> version? >>>> >>>> $ time make MONOLITHIC=y policy >>>> Compiling refpolicy policy.30 >>>> /usr/bin/checkpolicy -U deny policy.conf -o policy.30 >>>> /usr/bin/checkpolicy: loading policy configuration from policy.conf >>>> /usr/bin/checkpolicy: policy configuration loaded >>>> /usr/bin/checkpolicy: writing binary representation (version 30) to >>>> policy.30 >>>> >>>> real 0m3.341s >>>> user 0m3.280s >>>> sys 0m0.061s >>>> >>>>> >>>>> >From TOP: >>>>> 31178 wcrobert 20 0 812552 751940 1628 R 100.0 4.6 4:47.36 >>>>> checkpolicy >>>>> >>>>> On Thu, Oct 13, 2016 at 4:37 PM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: >>>>>> On 10/13/2016 03:28 PM, Roberts, William C wrote: >>>>>>> I was looking back at my speedup patch for nodups specs… >>>>>>> >>>>>>> http://marc.info/?l=selinux&m=147249024230263&w=2 >>>>>>> >>>>>>> >>>>>>> >>>>>>> I was testing before with a large, generated file_context file. I was >>>>>>> wondering what would be a good source for >>>>>>> >>>>>>> A desktop version of a file_contexts (textual preference as I can run >>>>>>> sefcontext_compile on it) file as well as a binary >>>>>>> >>>>>>> policy file…. >>>>>>> >>>>>>> >>>>>>> >>>>>>> Should I just use refpolicy? >>>>>> >>>>>> That's probably fine, unless you happen to have Fedora installed and can >>>>>> just use its file_contexts file. >>>>>> >>>>>> $ cd refpolicy >>>>>> $ make MONOLITHIC=y conf >>>>>> $ make MONOLITHIC=y file_contexts >>>>>> $ wc -l file_contexts >>>>>> 4908 file_contexts >>>>>> $ wc -l /etc/selinux/targeted/contexts/files/file_contexts >>>>>> 6075 /etc/selinux/targeted/contexts/files/file_contexts >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> Selinux mailing list >>>>>> Selinux@xxxxxxxxxxxxx >>>>>> To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. >>>>>> To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx. >>>>> >>>>> >>>>> >>>> >>> >>> >>> >>> -- >>> Respectfully, >>> >>> William C Roberts >> >> >> >> -- >> Respectfully, >> >> William C Roberts > > > _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
