On 5/23/19 4:39 PM, jwcart2 wrote:
With these rules:
# Redundant 1
allow tp01 tpr1:cl01 { p01a p11a p01b p11b };
allow tp02 tpr1:cl01 { p01a p11a };
allow at02 tpr1:cl01 { p01a p11a p01b };
# Redundant 2
dontaudit tp01 tpr2:cl01 { p01a p11a p01b p11b };
dontaudit tp02 tpr2:cl01 { p01a p11a };
dontaudit at02 tpr2:cl01 { p01a p11a p01b };
# Redundant 3
allow at02 tpr3:cl01 { p01a p11a p01b };
if (b01) {
allow tp01 tpr3:cl01 { p01a p11a p01b p11b };
allow tp02 tpr3:cl01 { p01a p11a };
}
# Redundant 4
dontaudit at02 tpr4:cl01 { p01a p11a p01b };
if (b01) {
dontaudit tp01 tpr4:cl01 { p01a p11a p01b p11b };
dontaudit tp02 tpr4:cl01 { p01a p11a };
}
I see the following from sediff:
Allow Rules (0 Added, 1 Removed, 0 Modified)
Removed Allow Rules: 1
- allow tp02 tpr3:cl01 { p01a p11a }; [ b01 ]:True
Dontaudit Rules (0 Added, 1 Removed, 1 Modified)
Removed Dontaudit Rules: 1
- dontaudit tp01 tpr4:cl01 { p01a p01b p11a p11b }; [ b01 ]:True
Modified Dontaudit Rules: 1
* dontaudit tp01 tpr2:cl01 { p01b p11a p01a -p11b };
So it handles Redundant 1 just fine, but has problems with Redundant 2
which should be the same.
I don't remember what to expect from sediff for boolean rules. I had
played around with removing rules with some of my earlier lua tools and
I thought that sediff handled removing redundant rules from booleans,
but I could be wrong.
Sediff doesn't do this optimization at this time. Rules inside a
conditional block won't be considered redundant to unconditional rules.
--
Chris PeBenito
