On Mon, Mar 2, 2020 at 10:46 AM Ondrej Mosnacek <omosnace@xxxxxxxxxx> wrote: > Yeah, there is currently no test for this. I have something hackish > that I used locally - I'll try to convert it to something more usable > an automated and integrate it into the repo. FWIW, my "test" in this case was to generate unoptimized and optimized policies before and after the patches, and use cmp as a first level check on whether the kernel policy was completely unchanged by the patches, and then when cmp failed on the old and new optimized policies, I used checkpolicy -M -F -o policy.conf -b policy.32 to decompile each of the optimized policies to policy.conf sources, and then I diff'd the two policy.conf files to see if/where they actually differed. (normally I'd use sediff for this kind of thing but in this case we want to see non-semantic differences between the policies wrt optimization, not just semantic differences, and also sediff took too much time and memory on Fedora policies until recent changes by James that I don't think have made their way into an official release yet.)
