On Wed, Apr 12, 2017 at 04:07:57PM -0400, James Carter wrote: > On 04/12/2017 03:12 PM, Dominick Grift wrote: > > On Wed, Apr 12, 2017 at 02:20:32PM -0400, James Carter wrote: > > > On 04/12/2017 09:35 AM, Dominick Grift wrote: > > > > On Wed, Apr 12, 2017 at 09:26:17AM -0400, James Carter wrote: > > > > > On 04/12/2017 02:11 AM, Dominick Grift wrote: > > > > > > On Tue, Apr 11, 2017 at 01:53:41PM -0400, James Carter wrote: > > > > > > > The number of type attributes included in the binary policy is becomming a performance issue in some cases. > > > > > > > > > > > > > > This patch set more aggressives removes attributes and gives the options to expand and remove all auto-generated attributes and all attributes with fewer than a given amount of attributes assigned. > > > > > > > > > > > > > > Comparison of the number of attributes remaining in the binary policy > > > > > > > mls normal android > > > > > > > org 310 286 255 > > > > > > > old 268 251 130 > > > > > > > max 154 20 17 > > > > > > > min 226 173 119 > > > > > > > def 224 170 80 > > > > > > > gen 221 170 46 > > > > > > > u5 191 112 59 > > > > > > > > > > > > > > Org - Number of attributes in the CIL policy > > > > > > > Old - Results without this patch set > > > > > > > Max - Remove the maximum number of attributes: "-G -X 9999" > > > > > > > Min - Remove the minimum number of attributes: "-X 0" > > > > > > > Def - The new defaults for CIL > > > > > > > Gen - Just removing auto-generated attributes: "-G" > > > > > > > U5 - Remove attributes with less than five members: "-X 5" > > > > > > > > > > > > I tried this with my policy: > > > > > > > > > > > > old defaults > > > > > > > > > > > > size: 949K > > > > > > typeattributes: 765 > > > > > > types: 1420 > > > > > > allow rules: 24812 > > > > > > > > > > > > new defaults > > > > > > > > > > > > size: 876K > > > > > > typeattributes: 641 > > > > > > types: 1418 > > > > > > allow rules: 20998 > > > > > > > > > > > > I cannot imagine where the difference went.. every aspect improved. I expected to see some trade-offs instead here. > > > > > > > > > > > > > > > > I hope that the number of types going from 1420 to 1418 is a typo. I don't > > > > > see how my patch set would remove any types, but, if it is, then that is a > > > > > problem. > > > > > > > > > > With your dssp1-standard policy, I see: > > > > > Before : 1178K, 9938 attributes, and 534 types > > > > > After (default): 574K, 3209 attributes, and 534 types > > > > > After (-X5) : 471K, 2206 attributes, and 534 types > > > > > > > > > > Jim > > > > > > > > The test that i did was with dssp2-standard (my current work). So if you want you can see for yourself on github. > > > > > > > > you can then also see that I , with dssp2-standard, still have attributes without types associated with it > > > > > > > > At least: > > > > > > > > seinfo -a | grep adm_subj_type | grep -v service.service | wc -l > > > > 90 > > > > > > > > > > Thanks, this was do to an older bug. If an attribute had already been > > > evaluated in an expression, then cil_typeattribute_used() would not be > > > called on it. > > > > > > So now I have for your dssp1-standard policy: > > > Before : 1178K, 9938 attributes, and 534 types > > > After (default): 420K, 1621 attributes, and 534 types > > > After (-X5) : 275K, 248 attributes, and 534 types > > > > The above is where my dssp1 model really shines. These stats are what i envisioned when I started to design it at first, I abandoned it because of this bug but also because of one other fundamental limitation: > > > > namely that one cannot associate typeattributes in booleanif. Is this really something that we cannot overcome? > > > > Sorry, but that would be very difficult to do in the kernel policy. > > What were you trying to accomplish with them? It is part of the overall picture. dssp1 leverages typeattributes at the heart, and is very scalable due to this. The bigger the policy gets the more amazing the efficiency is. A side affect of this is that everything is essentially type attributed, and so if one cannot associate type attributes in booleanifs then booleanif becomes essentially useless, since all i really have is typeattributes to work with. I dont care about the kernel policy though. The kernel policy also cannot associate type attributes with type attributes and that did not stop us from implementing the feature in CIL > > Jim > > > > > > > So now I have for your dssp2-standard policy: > > > Before : 918K, 772 attributes, and 1426 types > > > After (default): 889K, 551 attributes, and 1426 types > > > After (-X5) : 901K, 160 attributes, and 1426 types > > > > > > And: > > > seinfo -a policy.30 | grep adm_subj_type | grep -v service.service | wc -l > > > 0 > > > > > > Jim > > > > > > > > > > > > > > > > > > > > > > > > > > > > > James Carter (2): > > > > > > > libsepol/cil: Add ability to expand some attributes in binary policy > > > > > > > secilc: Add options to control the expansion of attributes > > > > > > > > > > > > > > libsepol/cil/include/cil/cil.h | 2 + > > > > > > > libsepol/cil/src/cil.c | 12 ++ > > > > > > > libsepol/cil/src/cil_binary.c | 253 +++++++++++++++++++++++++++---------- > > > > > > > libsepol/cil/src/cil_internal.h | 7 +- > > > > > > > libsepol/cil/src/cil_post.c | 32 +++-- > > > > > > > libsepol/cil/src/cil_resolve_ast.c | 25 ++-- > > > > > > > libsepol/src/libsepol.map.in | 2 + > > > > > > > secilc/secil2conf.c | 2 + > > > > > > > secilc/secilc.8.xml | 10 ++ > > > > > > > secilc/secilc.c | 31 ++++- > > > > > > > 10 files changed, 275 insertions(+), 101 deletions(-) > > > > > > > > > > > > > > -- > > > > > > > 2.7.4 > > > > > > > > > > > > > > _______________________________________________ > > > > > > > Selinux mailing list > > > > > > > Selinux@xxxxxxxxxxxxx > > > > > > > To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. > > > > > > > To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx. > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > Selinux mailing list > > > > > > Selinux@xxxxxxxxxxxxx > > > > > > To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. > > > > > > To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx. > > > > > > > > > > > > > > > > > > > > > -- > > > > > James Carter <jwcart2@xxxxxxxxxxxxx> > > > > > National Security Agency > > > > > _______________________________________________ > > > > > Selinux mailing list > > > > > Selinux@xxxxxxxxxxxxx > > > > > To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. > > > > > To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx. > > > > > > > > > > > > > > > > _______________________________________________ > > > > Selinux mailing list > > > > Selinux@xxxxxxxxxxxxx > > > > To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. > > > > To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx. > > > > > > > > > > > > > -- > > > James Carter <jwcart2@xxxxxxxxxxxxx> > > > National Security Agency > > > _______________________________________________ > > > Selinux mailing list > > > Selinux@xxxxxxxxxxxxx > > > To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. > > > To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx. > > > > > > > > _______________________________________________ > > Selinux mailing list > > Selinux@xxxxxxxxxxxxx > > To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. > > To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx. > > > > > -- > James Carter <jwcart2@xxxxxxxxxxxxx> > National Security Agency > _______________________________________________ > Selinux mailing list > Selinux@xxxxxxxxxxxxx > To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. > To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx. -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
