On 04/05/2017 11:42 AM, Nick Kralevich wrote:
I noticed that this change hasn't landed in the selinux git repository
yet. It helps solve some problems we're seeing with regards to
excessive number of attributes. Is there something holding up this
change from being committed?
No. I've just been busy working on another patch that should also help with an
excessive number of attributes.
Jim
-- Nick
On Wed, Mar 29, 2017 at 11:58 AM, James Carter <jwcart2@xxxxxxxxxxxxx> wrote:
CIL does not allow type or role sets in certain rules (such as allow
rules). It does, however, allow sets in typeattributeset and
roleattributeset statements. Because of this, when module_to_cil
translates a policy into CIL, it creates a new attribute for each
set that it encounters. But often the same set is used multiple times
which means that more attributes are created then necessary. As the
number of attributes increases the time required for the kernel to
make each policy decision increases which can be a problem.
To help reduce the number of attributes in a kernel policy,
when module_to_cil encounters a role or type set search to see if the
set was encountered already and, if it was, use the previously
generated attribute instead of creating a new one.
Testing on Android and Refpolicy policies show that this reduces the
number of attributes generated by about 40%.
--
James Carter <jwcart2@xxxxxxxxxxxxx>
National Security Agency
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
