selinux

mirror of https://github.com/topjohnwu/selinux.git synced 2025-02-12 23:08:51 +00:00

Go to file

James Carter 92f22e193a libsepol: In module_to_cil create one attribute for each unique set

CIL does not allow type or role sets in certain rules (such as allow
rules). It does, however, allow sets in typeattributeset and
roleattributeset statements. Because of this, when module_to_cil
translates a policy into CIL, it creates a new attribute for each
set that it encounters. But often the same set is used multiple times
which means that more attributes are created then necessary. As the
number of attributes increases the time required for the kernel to
make each policy decision increases which can be a problem.

To help reduce the number of attributes in a kernel policy,
when module_to_cil encounters a role or type set search to see if the
set was encountered already and, if it was, use the previously
generated attribute instead of creating a new one.

Testing on Android and Refpolicy policies show that this reduces the
number of attributes generated by about 40%.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>

2017-04-05 12:24:05 -04:00

checkpolicy

checkpolicy: Add options to convert binary policy to CIL or a policy.conf

2017-04-05 12:23:30 -04:00

dbus

Add stub make test targets to new subdirs

2016-11-16 11:20:05 -05:00

gui

Add stub make test targets to new subdirs

2016-11-16 11:20:05 -05:00

libselinux

libsepol: constify sepol_genbools()'s boolpath parameter

2017-03-29 10:26:44 -04:00

libsemanage

libsemanage: genhomedircon: fix possible double-free

2017-03-29 10:26:59 -04:00

libsepol

libsepol: In module_to_cil create one attribute for each unique set

2017-04-05 12:24:05 -04:00

mcstrans

mcstrans: fix typo in mcstransd.8 man page

2017-03-28 13:38:37 -04:00

policycoreutils

policycoreutils: fixfiles: remove useless use of cat

2017-03-28 13:41:22 -04:00

python

python/semanage: fix export of fcontext socket entries

2017-03-15 13:10:18 -04:00

restorecond

restorecond: add noreturn attribute to exitApp()

2017-03-07 14:00:16 -05:00

sandbox

sandbox: make test not fail on systems without SELinux

2016-11-17 16:44:57 -05:00

scripts

Fix release script

2016-11-16 11:19:51 -05:00

secilc

secilc: add noreturn attribute to usage()

2017-03-07 14:00:30 -05:00

semodule-utils

semodule-utils: add noreturn attribute to usage()

2017-03-07 14:00:39 -05:00

.gitignore

restorecond: Add gitignore

2016-11-16 11:20:05 -05:00

.travis.yml

libsemanage/tests: include libsepol headers from $DESTDIR

2017-03-01 10:42:34 -05:00

CleanSpec.mk

Add empty top level Android.mk / CleanSpec.mk files

2015-04-16 07:54:09 -04:00

Makefile

Build mcstrans.

2016-11-16 11:19:50 -05:00

README

libsepol compilation fixes for macOS.

2017-01-20 13:19:57 -05:00

README

Please submit all bug reports and patches to selinux@tycho.nsa.gov.
Subscribe via selinux-join@tycho.nsa.gov.

Build dependencies on Fedora:
yum install audit-libs-devel bison bzip2-devel dbus-devel dbus-glib-devel flex flex-devel flex-static glib2-devel libcap-devel libcap-ng-devel pam-devel pcre-devel python-devel setools-devel swig xmlto redhat-rpm-config

To build and install everything under a private directory, run:
make DESTDIR=~/obj install install-pywrap

To install as the default system libraries and binaries
(overwriting any previously installed ones - dangerous!),
on x86_64, run:
make LIBDIR=/usr/lib64 SHLIBDIR=/lib64 install install-pywrap relabel
or on x86 (32-bit), run:
make install install-pywrap relabel

This may render your system unusable if the upstream SELinux userspace
lacks library functions or other dependencies relied upon by your
distribution.  If it breaks, you get to keep both pieces.

To install libsepol on macOS (mainly for policy analysis):
cd libsepol; make DESTDIR=/usr/local PREFIX=/usr/local install

This requires GNU coreutils (brew install coreutils).

Languages

C 71.5%

Python 15.5%

Roff 9%

SWIG 1.1%

Makefile 1%

Other 1.9%