On Mon, Mar 2, 2020 at 10:24 AM James Carter <jwcart2@xxxxxxxxx> wrote:
>
> On Thu, Feb 27, 2020 at 11:03 AM Ondrej Mosnacek <omosnace@xxxxxxxxxx> wrote:
> >
> > Only attributes can be a superset of another attribute, so we can skip
> > non-attributes right away.
> >
> > Signed-off-by: Ondrej Mosnacek <omosnace@xxxxxxxxxx>
> > ---
> > libsepol/src/optimize.c | 3 +++
> > 1 file changed, 3 insertions(+)
> >
> > diff --git a/libsepol/src/optimize.c b/libsepol/src/optimize.c
> > index 4d835d47..2b5102af 100644
> > --- a/libsepol/src/optimize.c
> > +++ b/libsepol/src/optimize.c
> > @@ -50,6 +50,9 @@ static ebitmap_t *build_type_map(const policydb_t *p)
> > for (k = 0; k < p->p_types.nprim; k++) {
> > ebitmap_t *types_k = &p->attr_type_map[k];
> >
> > + if (p->type_val_to_struct[k]->flavor != TYPE_ATTRIB)
> > + continue;
> > +
>
> I haven't tested this yet, but I suspect that this is what is causing
> the difference noted by Stephen. A type is a superset of itself.
>
This is definitely what is causing the change. Your explanation is
correct. This prevents a type from being considered as a super set of
an attribute that only contains that type.
Jim
> Jim
>
>
> > if (ebitmap_contains(types_k, types_i)) {
> > if (ebitmap_set_bit(&map[i], k, 1))
> > goto err;
> > --
> > 2.24.1
> >
