mirror of
https://github.com/topjohnwu/selinux.git
synced 2024-11-24 12:09:50 +00:00
This is the upstream repository for the Security Enhanced Linux (SELinux) userland libraries and tools. The software provided by this project complements the SELinux features integrated into the Linux kernel and is used by Linux distributions. All bugs an
92f22e193a
CIL does not allow type or role sets in certain rules (such as allow rules). It does, however, allow sets in typeattributeset and roleattributeset statements. Because of this, when module_to_cil translates a policy into CIL, it creates a new attribute for each set that it encounters. But often the same set is used multiple times which means that more attributes are created then necessary. As the number of attributes increases the time required for the kernel to make each policy decision increases which can be a problem. To help reduce the number of attributes in a kernel policy, when module_to_cil encounters a role or type set search to see if the set was encountered already and, if it was, use the previously generated attribute instead of creating a new one. Testing on Android and Refpolicy policies show that this reduces the number of attributes generated by about 40%. Signed-off-by: James Carter <jwcart2@tycho.nsa.gov> |
||
|---|---|---|
| checkpolicy | ||
| dbus | ||
| gui | ||
| libselinux | ||
| libsemanage | ||
| libsepol | ||
| mcstrans | ||
| policycoreutils | ||
| python | ||
| restorecond | ||
| sandbox | ||
| scripts | ||
| secilc | ||
| semodule-utils | ||
| .gitignore | ||
| .travis.yml | ||
| CleanSpec.mk | ||
| Makefile | ||
| README | ||
Please submit all bug reports and patches to selinux@tycho.nsa.gov. Subscribe via selinux-join@tycho.nsa.gov. Build dependencies on Fedora: yum install audit-libs-devel bison bzip2-devel dbus-devel dbus-glib-devel flex flex-devel flex-static glib2-devel libcap-devel libcap-ng-devel pam-devel pcre-devel python-devel setools-devel swig xmlto redhat-rpm-config To build and install everything under a private directory, run: make DESTDIR=~/obj install install-pywrap To install as the default system libraries and binaries (overwriting any previously installed ones - dangerous!), on x86_64, run: make LIBDIR=/usr/lib64 SHLIBDIR=/lib64 install install-pywrap relabel or on x86 (32-bit), run: make install install-pywrap relabel This may render your system unusable if the upstream SELinux userspace lacks library functions or other dependencies relied upon by your distribution. If it breaks, you get to keep both pieces. To install libsepol on macOS (mainly for policy analysis): cd libsepol; make DESTDIR=/usr/local PREFIX=/usr/local install This requires GNU coreutils (brew install coreutils).