On Fri, Mar 27, 2020 at 6:08 PM Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: > On 3/27/20 11:21 AM, Ondrej Mosnacek wrote: > > Implement a new, more space-efficient form of storing filename > > transitions in the binary policy. The internal structures have already > > been converted to this new representation; this patch just implements > > reading/writing an equivalent representation from/to the binary policy. > > > > This new format reduces the size of Fedora policy from 7.6 MB to only > > 3.3 MB (with policy optimization enabled in both cases). With the > > unconfined module disabled, the size is reduced from 3.3 MB to 2.4 MB. > > > > Signed-off-by: Ondrej Mosnacek <omosnace@xxxxxxxxxx> > > --- > > Haven't looked at the code yet, but something is wrong with the handling > when it needs to dowgrade to an older policy version for a kernel that > doesn't yet support this new version: > > $ sudo semodule -B > libsepol.mls_read_range_helper: range overflow > libsepol.context_read_and_validate: error reading MLS range of context > libsepol.policydb_to_image: new policy image is invalid > libsepol.policydb_to_image: could not create policy image > SELinux: Could not downgrade policy file > /etc/selinux/targeted/policy/policy.33, searching for an older version. Hm, haven't tried that... I reproduced it on my end and I believe I have found the bug - filename_trans_read_one_new() is counting p->filename_trans_count in a completely wrong way. It needs to add up the cardinalities of all stype bitmaps, not just count the hashtab entries... I'll post a v2 tomorrow, in the meantime you can test with this patch on top: https://github.com/WOnder93/selinux/commit/738263d5be83323da7b4008e37140ec7ef99db8d.patch -- Ondrej Mosnacek <omosnace at redhat dot com> Software Engineer, Security Technologies Red Hat, Inc.
