On Mon, Mar 2, 2020 at 10:08 PM Ondrej Mosnacek <omosnace@xxxxxxxxxx> wrote: > On Mon, Mar 2, 2020 at 9:22 PM Stephen Smalley > <stephen.smalley.work@xxxxxxxxx> wrote: > > On Mon, Mar 2, 2020 at 1:45 PM Stephen Smalley > > <stephen.smalley.work@xxxxxxxxx> wrote: [...] > > > secilc has -G and -X options for controlling expansion of attributes, but > > > there aren't equivalent settings in semanage.conf to control when > > > building modular policies. > > > Internally it all uses the libsepol CIL support so it ought to be fixable. > > > Looks like the default is 1 in cil_db_init() so it only happens when > > > the attribute has no types by default? [...] > > > > Apparently that was to eliminate attributes that have no types at all. > > Seems like we could add new options to semanage.conf to provide equivalents > > to secilc -G and -X, and have semanage_direct_commit() call > > cil_set_attrs_expand_generated() > > and cil_set_attrs_expand_size() in the same manner as secilc does based on those > > semanage.conf settings. > > > > Could also look at increasing the default size to 5 or something and > > see what impact that has on > > Fedora policies. > > Well, for a start we could increase the default to 2, which should > only remove those attributes that have only one type. That has > practically no downsides (other than making it a bit harder to trace > the rule back to source policy) and would be just enough to make the > optimization work nicely. I played with this a bit by recompiling the local binary policy with secilc and then comparing the CIL of both binary policies (I used this script [1]) and the results are a bit confusing... There is no difference in result between -X 0 and -X 1 [2] and in both cases it removes some unused attributes (those are only referenced from neverallow rules) that were in the original policy (/etc/selinux/targeted/policy/policy.31 from my Fedora 31 machine), but not in the one recompiled via checkpolicy -C + secilc... At least I was able to confirm that secilc -X 2 really removes the attributes that have only one type and reduces the policy size by a few kilobytes. I suspect that the reason for the unremoved attributes in the policy built by semodule are due to a bug in libsepol: It seems that when it starts with a cildb that has the neverallow rules in the input policy + has disable_neverallow set, it removes the rules but not the attributes that are used only in them. Only when it reads the policy again, it identifies these unused attributes (since there are no longer any neverallow rules in the input) and removes them unconditionally. It could be something else, but if I'm right then I think libsepol should be fixed to remove the unused attributes right away. I don't dare digging into the CIL code to investigate it, though ;) [1] https://gitlab.com/omos/selinux-misc/-/blob/master/diffexpand.sh [2] Okay, this part is not really confusing, sonce semodule should already build the policy with an equivalent of -X 1, so -X 0 should yield the same result. -- Ondrej Mosnacek <omosnace at redhat dot com> Software Engineer, Security Technologies Red Hat, Inc.
