On 10/14/2016 10:32 AM, Stephen Smalley wrote: > On 10/14/2016 10:15 AM, William Roberts wrote: >> Is it to be expected that checkfc would actually fail on refpolicy? >> >> $ ./checkfc ../refpolicy/policy.30 ../refpolicy/file_contexts >> Error: "fs_type" is not defined in this policy. >> >> I could comment out the validation callback... but just wondering if >> this is expected. > > Yes, you hardcoded Android-specific type attributes in checkfc, > remember? That's fine since it is an Android-only tool. In Linux, we > just runs setfiles -c /path/to/policy /path/to/file_contexts to do the > same thing, or these days sefcontext_compile -p /path/to/policy > /path/to/file_contexts will validate it. Or if you want a test program that just processes file_contexts and looks up an entry, you can use selabel_lookup or matchpathcon from libselinux/utils. > >> >> >> On Fri, Oct 14, 2016 at 9:08 AM, William Roberts >> <bill.c.roberts@xxxxxxxxx> wrote: >>> Yeah I just exported CHECKPOLICY to be the one from the AOSP tree and >>> it only took 4 seconds. >>> >>> On Fri, Oct 14, 2016 at 9:07 AM, William Roberts >>> <bill.c.roberts@xxxxxxxxx> wrote: >>>> Likely not, I see it compiling version 29 and I am on ubuntu which is >>>> way out of date with this stuff... should I just use the checkpolicy >>>> from my AOSP tree? >>>> >>>> Or should I just install with some particular set of options from >>>> selinux master repo? >>>> >>>> On Fri, Oct 14, 2016 at 9:06 AM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: >>>>> On 10/14/2016 09:02 AM, William Roberts wrote: >>>>>> Looks like make MONOLITHIC=y policy to get the binary policy file.... >>>>>> >>>>>> Is it normal for checkpolicy to take 5 minutes? >>>>> >>>>> No, at least not with a modern checkpolicy. Are you using a current >>>>> version? >>>>> >>>>> $ time make MONOLITHIC=y policy >>>>> Compiling refpolicy policy.30 >>>>> /usr/bin/checkpolicy -U deny policy.conf -o policy.30 >>>>> /usr/bin/checkpolicy: loading policy configuration from policy.conf >>>>> /usr/bin/checkpolicy: policy configuration loaded >>>>> /usr/bin/checkpolicy: writing binary representation (version 30) to >>>>> policy.30 >>>>> >>>>> real 0m3.341s >>>>> user 0m3.280s >>>>> sys 0m0.061s >>>>> >>>>>> >>>>>> >From TOP: >>>>>> 31178 wcrobert 20 0 812552 751940 1628 R 100.0 4.6 4:47.36 >>>>>> checkpolicy >>>>>> >>>>>> On Thu, Oct 13, 2016 at 4:37 PM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: >>>>>>> On 10/13/2016 03:28 PM, Roberts, William C wrote: >>>>>>>> I was looking back at my speedup patch for nodups specs… >>>>>>>> >>>>>>>> http://marc.info/?l=selinux&m=147249024230263&w=2 >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> I was testing before with a large, generated file_context file. I was >>>>>>>> wondering what would be a good source for >>>>>>>> >>>>>>>> A desktop version of a file_contexts (textual preference as I can run >>>>>>>> sefcontext_compile on it) file as well as a binary >>>>>>>> >>>>>>>> policy file…. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Should I just use refpolicy? >>>>>>> >>>>>>> That's probably fine, unless you happen to have Fedora installed and can >>>>>>> just use its file_contexts file. >>>>>>> >>>>>>> $ cd refpolicy >>>>>>> $ make MONOLITHIC=y conf >>>>>>> $ make MONOLITHIC=y file_contexts >>>>>>> $ wc -l file_contexts >>>>>>> 4908 file_contexts >>>>>>> $ wc -l /etc/selinux/targeted/contexts/files/file_contexts >>>>>>> 6075 /etc/selinux/targeted/contexts/files/file_contexts >>>>>>> >>>>>>> >>>>>>> _______________________________________________ >>>>>>> Selinux mailing list >>>>>>> Selinux@xxxxxxxxxxxxx >>>>>>> To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. >>>>>>> To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx. >>>>>> >>>>>> >>>>>> >>>>> >>>> >>>> >>>> >>>> -- >>>> Respectfully, >>>> >>>> William C Roberts >>> >>> >>> >>> -- >>> Respectfully, >>> >>> William C Roberts >> >> >> > _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.