On 3/27/20 11:21 AM, Ondrej Mosnacek wrote:
Implement a new, more space-efficient form of storing filename
transitions in the binary policy. The internal structures have already
been converted to this new representation; this patch just implements
reading/writing an equivalent representation from/to the binary policy.
This new format reduces the size of Fedora policy from 7.6 MB to only
3.3 MB (with policy optimization enabled in both cases). With the
unconfined module disabled, the size is reduced from 3.3 MB to 2.4 MB.
Signed-off-by: Ondrej Mosnacek <omosnace@xxxxxxxxxx>
---
Haven't looked at the code yet, but something is wrong with the handling
when it needs to dowgrade to an older policy version for a kernel that
doesn't yet support this new version:
$ sudo semodule -B
libsepol.mls_read_range_helper: range overflow
libsepol.context_read_and_validate: error reading MLS range of context
libsepol.policydb_to_image: new policy image is invalid
libsepol.policydb_to_image: could not create policy image
SELinux: Could not downgrade policy file
/etc/selinux/targeted/policy/policy.33, searching for an older version.
