On Wed, Apr 12, 2017 at 02:20:32PM -0400, James Carter wrote: > On 04/12/2017 09:35 AM, Dominick Grift wrote: > > On Wed, Apr 12, 2017 at 09:26:17AM -0400, James Carter wrote: > > > On 04/12/2017 02:11 AM, Dominick Grift wrote: > > > > On Tue, Apr 11, 2017 at 01:53:41PM -0400, James Carter wrote: > > > > > The number of type attributes included in the binary policy is becomming a performance issue in some cases. > > > > > > > > > > This patch set more aggressives removes attributes and gives the options to expand and remove all auto-generated attributes and all attributes with fewer than a given amount of attributes assigned. > > > > > > > > > > Comparison of the number of attributes remaining in the binary policy > > > > > mls normal android > > > > > org 310 286 255 > > > > > old 268 251 130 > > > > > max 154 20 17 > > > > > min 226 173 119 > > > > > def 224 170 80 > > > > > gen 221 170 46 > > > > > u5 191 112 59 > > > > > > > > > > Org - Number of attributes in the CIL policy > > > > > Old - Results without this patch set > > > > > Max - Remove the maximum number of attributes: "-G -X 9999" > > > > > Min - Remove the minimum number of attributes: "-X 0" > > > > > Def - The new defaults for CIL > > > > > Gen - Just removing auto-generated attributes: "-G" > > > > > U5 - Remove attributes with less than five members: "-X 5" > > > > > > > > I tried this with my policy: > > > > > > > > old defaults > > > > > > > > size: 949K > > > > typeattributes: 765 > > > > types: 1420 > > > > allow rules: 24812 > > > > > > > > new defaults > > > > > > > > size: 876K > > > > typeattributes: 641 > > > > types: 1418 > > > > allow rules: 20998 > > > > > > > > I cannot imagine where the difference went.. every aspect improved. I expected to see some trade-offs instead here. > > > > > > > > > > I hope that the number of types going from 1420 to 1418 is a typo. I don't > > > see how my patch set would remove any types, but, if it is, then that is a > > > problem. > > > > > > With your dssp1-standard policy, I see: > > > Before : 1178K, 9938 attributes, and 534 types > > > After (default): 574K, 3209 attributes, and 534 types > > > After (-X5) : 471K, 2206 attributes, and 534 types > > > > > > Jim > > > > The test that i did was with dssp2-standard (my current work). So if you want you can see for yourself on github. > > > > you can then also see that I , with dssp2-standard, still have attributes without types associated with it > > > > At least: > > > > seinfo -a | grep adm_subj_type | grep -v service.service | wc -l > > 90 > > > > Thanks, this was do to an older bug. If an attribute had already been > evaluated in an expression, then cil_typeattribute_used() would not be > called on it. > > So now I have for your dssp1-standard policy: > Before : 1178K, 9938 attributes, and 534 types > After (default): 420K, 1621 attributes, and 534 types > After (-X5) : 275K, 248 attributes, and 534 types The above is where my dssp1 model really shines. These stats are what i envisioned when I started to design it at first, I abandoned it because of this bug but also because of one other fundamental limitation: namely that one cannot associate typeattributes in booleanif. Is this really something that we cannot overcome? > > So now I have for your dssp2-standard policy: > Before : 918K, 772 attributes, and 1426 types > After (default): 889K, 551 attributes, and 1426 types > After (-X5) : 901K, 160 attributes, and 1426 types > > And: > seinfo -a policy.30 | grep adm_subj_type | grep -v service.service | wc -l > 0 > > Jim > > > > > > > > > > > > > > > > > > > James Carter (2): > > > > > libsepol/cil: Add ability to expand some attributes in binary policy > > > > > secilc: Add options to control the expansion of attributes > > > > > > > > > > libsepol/cil/include/cil/cil.h | 2 + > > > > > libsepol/cil/src/cil.c | 12 ++ > > > > > libsepol/cil/src/cil_binary.c | 253 +++++++++++++++++++++++++++---------- > > > > > libsepol/cil/src/cil_internal.h | 7 +- > > > > > libsepol/cil/src/cil_post.c | 32 +++-- > > > > > libsepol/cil/src/cil_resolve_ast.c | 25 ++-- > > > > > libsepol/src/libsepol.map.in | 2 + > > > > > secilc/secil2conf.c | 2 + > > > > > secilc/secilc.8.xml | 10 ++ > > > > > secilc/secilc.c | 31 ++++- > > > > > 10 files changed, 275 insertions(+), 101 deletions(-) > > > > > > > > > > -- > > > > > 2.7.4 > > > > > > > > > > _______________________________________________ > > > > > Selinux mailing list > > > > > Selinux@xxxxxxxxxxxxx > > > > > To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. > > > > > To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx. > > > > > > > > > > > > > > > > _______________________________________________ > > > > Selinux mailing list > > > > Selinux@xxxxxxxxxxxxx > > > > To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. > > > > To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx. > > > > > > > > > > > > > -- > > > James Carter <jwcart2@xxxxxxxxxxxxx> > > > National Security Agency > > > _______________________________________________ > > > Selinux mailing list > > > Selinux@xxxxxxxxxxxxx > > > To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. > > > To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx. > > > > > > > > _______________________________________________ > > Selinux mailing list > > Selinux@xxxxxxxxxxxxx > > To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. > > To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx. > > > > > -- > James Carter <jwcart2@xxxxxxxxxxxxx> > National Security Agency > _______________________________________________ > Selinux mailing list > Selinux@xxxxxxxxxxxxx > To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. > To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx. -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
