The primary motivation for the change is to correctly handle redundant
rules. Recent changes in the SELinux toolchain added support for an
optimization that removes redundant rules from a policy. These are
conditional rules that are either already specified in unconditional
policy or rules using types that are also specified more generally
through an attribute. Since attributes are always expanded in sediff,
the second type of redundant rules are already effectively removed. But
redundant conditional rules show up as differences when a binary version
of a policy that has been optimized is compared to one that has not been.
A secondary motivation for the change is to reduce memory usage and diff
times. A modern Fedora policy cannot be diffed with a system with less than
32Gb of memory and it takes over four hours to complete.
With this change AV rules are processed by creating a data structure which
consists of nested dictionaries that store BOTH the left and the right
policies. All of the keys are interned strings to save space.
The basic structure is
rule_db[cond_exp][block_bool][src][tgt][tclass]=sides
where:
cond_exp is a boolean expression
block_bool is either true or false
src is the source type
tgt is the target type
tclass is the target class
sides is a namedtuple with "left" and "right" attributes
Each side is either None or another namedtuple with "perms" and
"orig_rule" attributes
perms is the set of permissions for this rule
orig_rule is the original unexpanded rule
These changes improve diff times and memory usage.
Without the change
Time Memory Usage
Older Fedora Policy 3 min 17 sec 4.5Gb
Recent Refpolicy 4 min 19 sec 6.0Gb
Recent Fedora Policy 4 hrs 9 min 31.9Gb
With the change
Time Memory Usage
Older Fedora Policy 28 sec 1.7Gb
Recent Refpolicy 34 sec 1.9Gb
Recent Fedora Policy 4 min 45 sec 7.7Gb
Also added a unit test to check that redundant rules are removed.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
Record the rule list and expanded rule statistics for determining if
memory size issues are due to rule size vs. something else.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
Adds the option to the infoflow analysis to filter conditional policy based on the default or user specified boolean values.
Signed-off-by: Daniel Riechers <daniel.riechers@rockwellcollins.com>
Signed-off-by: David Graziano <david.graziano@rockwellcollins.com>
If the directory is a relative path, it is interpreted relative to the
installation prefix (Python’s sys.prefix for pure-Python packages,
sys.exec_prefix for packages that contain extension modules).
So the sys.prefix should not be joined because the correct one will be
added regardless. The reason why a relative path is going to work is
because the installation path is built internally joining python root
with python prefix, thus forming the correct path $(TARGET_DIR)/usr.
(https://docs.python.org/3/distutils/setupscript.html#installing-additional-files)
For this man file install scenario, joining the sys.prefix makes the
path absolute (this was previously working by accident).
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
