I noticed that this change hasn't landed in the selinux git repository yet. It helps solve some problems we're seeing with regards to excessive number of attributes. Is there something holding up this change from being committed? -- Nick On Wed, Mar 29, 2017 at 11:58 AM, James Carter <jwcart2@xxxxxxxxxxxxx> wrote: > CIL does not allow type or role sets in certain rules (such as allow > rules). It does, however, allow sets in typeattributeset and > roleattributeset statements. Because of this, when module_to_cil > translates a policy into CIL, it creates a new attribute for each > set that it encounters. But often the same set is used multiple times > which means that more attributes are created then necessary. As the > number of attributes increases the time required for the kernel to > make each policy decision increases which can be a problem. > > To help reduce the number of attributes in a kernel policy, > when module_to_cil encounters a role or type set search to see if the > set was encountered already and, if it was, use the previously > generated attribute instead of creating a new one. > > Testing on Android and Refpolicy policies show that this reduces the > number of attributes generated by about 40%. _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
