On 3/27/20 11:21 AM, Ondrej Mosnacek wrote:
These patches are the userspace side of the kernel change posted at [1].
The first patch changes libsepol's internal representation of filename
transition rules in a way similar to kernel commit c3a276111ea2
("selinux: optimize storage of filename transitions") [2].
The second patch then builds upon that and implements reading and
writing of a new binary policy format that uses this representation also
in the data layout.
See individual patches for more details.
NOTE: This series unfortunately breaks the build of setools. Moreover,
when an existing build of setools dynamically links against the new
libsepol, it segfaults. Sadly, there doesn't seem to be a nice way of
handling this, since setools relies on non-public libsepol policydb
API/ABI.
I think this has happened before a few years ago when we made a
different change to those structures, and required updates on the
setools side.
Maybe we need to figure out what setools needs to be encapsulated and
exported as part of the libsepol public ABI/API, and then stop having it
peer into libsepol internals?
