libsemanage: optionally optimize policy on rebuild

When building binary policy, optionally run it through
sepol_policydb_optimize() just before writing it out.

Add an optimize-policy variable to semanage.conf(5) that controls
whether optimization will be applied during libsemanage operations.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
This commit is contained in:
Ondrej Mosnacek 2019-06-13 13:45:56 +02:00 committed by James Carter
parent b8213acff8
commit 3cba4306b9
5 changed files with 28 additions and 1 deletions

View File

@ -121,6 +121,11 @@ and by default it is set to "false".
Please note that since this option deletes all HLL files, an updated HLL compiler will not be able to recompile the original HLL file into CIL.
In order to compile the original HLL file into CIL, the same HLL file will need to be reinstalled.
.TP
.B optimize-policy
When set to "true", the kernel policy will be optimized upon rebuilds.
It can be set to either "true" or "false" and by default it is set to "false".
.SH "SEE ALSO"
.TP
semanage(8)

View File

@ -59,7 +59,7 @@ static int parse_errors;
char *s;
}
%token MODULE_STORE VERSION EXPAND_CHECK FILE_MODE SAVE_PREVIOUS SAVE_LINKED TARGET_PLATFORM COMPILER_DIR IGNORE_MODULE_CACHE STORE_ROOT
%token MODULE_STORE VERSION EXPAND_CHECK FILE_MODE SAVE_PREVIOUS SAVE_LINKED TARGET_PLATFORM COMPILER_DIR IGNORE_MODULE_CACHE STORE_ROOT OPTIMIZE_POLICY
%token LOAD_POLICY_START SETFILES_START SEFCONTEXT_COMPILE_START DISABLE_GENHOMEDIRCON HANDLE_UNKNOWN USEPASSWD IGNOREDIRS
%token BZIP_BLOCKSIZE BZIP_SMALL REMOVE_HLL
%token VERIFY_MOD_START VERIFY_LINKED_START VERIFY_KERNEL_START BLOCK_END
@ -95,6 +95,7 @@ single_opt: module_store
| bzip_blocksize
| bzip_small
| remove_hll
| optimize_policy
;
module_store: MODULE_STORE '=' ARG {
@ -268,6 +269,17 @@ remove_hll: REMOVE_HLL'=' ARG {
free($3);
}
optimize_policy: OPTIMIZE_POLICY '=' ARG {
if (strcasecmp($3, "false") == 0) {
current_conf->optimize_policy = 0;
} else if (strcasecmp($3, "true") == 0) {
current_conf->optimize_policy = 1;
} else {
yyerror("optimize-policy can only be 'true' or 'false'");
}
free($3);
}
command_block:
command_start external_opts BLOCK_END {
if (new_external->path == NULL) {
@ -352,6 +364,7 @@ static int semanage_conf_init(semanage_conf_t * conf)
conf->bzip_small = 0;
conf->ignore_module_cache = 0;
conf->remove_hll = 0;
conf->optimize_policy = 0;
conf->save_previous = 0;
conf->save_linked = 0;

View File

@ -54,6 +54,7 @@ handle-unknown return HANDLE_UNKNOWN;
bzip-blocksize return BZIP_BLOCKSIZE;
bzip-small return BZIP_SMALL;
remove-hll return REMOVE_HLL;
optimize-policy return OPTIMIZE_POLICY;
"[load_policy]" return LOAD_POLICY_START;
"[setfiles]" return SETFILES_START;
"[sefcontext_compile]" return SEFCONTEXT_COMPILE_START;

View File

@ -1461,6 +1461,13 @@ rebuild:
cil_db_destroy(&cildb);
/* Remove redundancies in binary policy if requested. */
if (sh->conf->optimize_policy) {
retval = sepol_policydb_optimize(out);
if (retval < 0)
goto cleanup;
}
/* Write the linked policy before merging local changes. */
retval = semanage_write_policydb(sh, out,
SEMANAGE_LINKED);

View File

@ -47,6 +47,7 @@ typedef struct semanage_conf {
int bzip_small;
int remove_hll;
int ignore_module_cache;
int optimize_policy;
char *ignoredirs; /* ";" separated of list for genhomedircon to ignore */
struct external_prog *load_policy;
struct external_prog *setfiles;