On Mon, Mar 2, 2020 at 9:50 AM Stephen Smalley <stephen.smalley.work@xxxxxxxxx> wrote: > > On Fri, Feb 28, 2020 at 1:08 PM Stephen Smalley > <stephen.smalley.work@xxxxxxxxx> wrote: > > > > On Thu, Feb 27, 2020 at 11:03 AM Ondrej Mosnacek <omosnace@xxxxxxxxxx> wrote: > > > > > > This series contains two small changes (these don't seem to affect > > > performance measurably, but are nonetheless logical) and a patch that > > > changes how the policy optimization "type_map" helper structure is > > > represented, which speeds up the whole process. > > > > > > Ondrej Mosnacek (3): > > > libsepol: skip unnecessary check in build_type_map() > > > libsepol: optimize inner loop in build_type_map() > > > libsepol: speed up policy optimization > > > > Not a comment on the patches themselves, but this made me wonder if > > the optimization support is actually tested by our travis > > configuration. > > Doesn't appear to be (e.g. no usage of -O/--optimize or semanage.conf > > with optimize-policy true). > > Adding optimize-policy = true to /etc/selinux/semanage.conf and > running semodule -BN before and after these patches yields different > binary kernel policy files (policy.32). > Is that expected? Here is one example difference between the policies, along with what was present in the original unoptimized policy: $ sesearch -A -s guest_t -t guest_t -c context -p contains policy.32.unoptimized allow guest_t guest_t:context contains; allow guest_usertype guest_usertype:context contains; $ sesearch -A -s guest_t -t guest_t -c context -p contains policy.32.optimizedbefore allow guest_t guest_t:context contains; $ sesearch -A -s guest_t -t guest_t -c context -p contains policy.32.optimizedafter allow guest_usertype guest_usertype:context contains; Seems like the code prior to these changes yielded a more optimal policy since guest_usertype only has a single type in it.