mirror of
https://github.com/SELinuxProject/selinux
synced 2024-12-24 15:02:44 +00:00
libsemanage: optionally optimize policy on rebuild
When building binary policy, optionally run it through sepol_policydb_optimize() just before writing it out. Add an optimize-policy variable to semanage.conf(5) that controls whether optimization will be applied during libsemanage operations. Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
This commit is contained in:
parent
b8213acff8
commit
3cba4306b9
@ -121,6 +121,11 @@ and by default it is set to "false".
|
||||
Please note that since this option deletes all HLL files, an updated HLL compiler will not be able to recompile the original HLL file into CIL.
|
||||
In order to compile the original HLL file into CIL, the same HLL file will need to be reinstalled.
|
||||
|
||||
.TP
|
||||
.B optimize-policy
|
||||
When set to "true", the kernel policy will be optimized upon rebuilds.
|
||||
It can be set to either "true" or "false" and by default it is set to "false".
|
||||
|
||||
.SH "SEE ALSO"
|
||||
.TP
|
||||
semanage(8)
|
||||
|
@ -59,7 +59,7 @@ static int parse_errors;
|
||||
char *s;
|
||||
}
|
||||
|
||||
%token MODULE_STORE VERSION EXPAND_CHECK FILE_MODE SAVE_PREVIOUS SAVE_LINKED TARGET_PLATFORM COMPILER_DIR IGNORE_MODULE_CACHE STORE_ROOT
|
||||
%token MODULE_STORE VERSION EXPAND_CHECK FILE_MODE SAVE_PREVIOUS SAVE_LINKED TARGET_PLATFORM COMPILER_DIR IGNORE_MODULE_CACHE STORE_ROOT OPTIMIZE_POLICY
|
||||
%token LOAD_POLICY_START SETFILES_START SEFCONTEXT_COMPILE_START DISABLE_GENHOMEDIRCON HANDLE_UNKNOWN USEPASSWD IGNOREDIRS
|
||||
%token BZIP_BLOCKSIZE BZIP_SMALL REMOVE_HLL
|
||||
%token VERIFY_MOD_START VERIFY_LINKED_START VERIFY_KERNEL_START BLOCK_END
|
||||
@ -95,6 +95,7 @@ single_opt: module_store
|
||||
| bzip_blocksize
|
||||
| bzip_small
|
||||
| remove_hll
|
||||
| optimize_policy
|
||||
;
|
||||
|
||||
module_store: MODULE_STORE '=' ARG {
|
||||
@ -268,6 +269,17 @@ remove_hll: REMOVE_HLL'=' ARG {
|
||||
free($3);
|
||||
}
|
||||
|
||||
optimize_policy: OPTIMIZE_POLICY '=' ARG {
|
||||
if (strcasecmp($3, "false") == 0) {
|
||||
current_conf->optimize_policy = 0;
|
||||
} else if (strcasecmp($3, "true") == 0) {
|
||||
current_conf->optimize_policy = 1;
|
||||
} else {
|
||||
yyerror("optimize-policy can only be 'true' or 'false'");
|
||||
}
|
||||
free($3);
|
||||
}
|
||||
|
||||
command_block:
|
||||
command_start external_opts BLOCK_END {
|
||||
if (new_external->path == NULL) {
|
||||
@ -352,6 +364,7 @@ static int semanage_conf_init(semanage_conf_t * conf)
|
||||
conf->bzip_small = 0;
|
||||
conf->ignore_module_cache = 0;
|
||||
conf->remove_hll = 0;
|
||||
conf->optimize_policy = 0;
|
||||
|
||||
conf->save_previous = 0;
|
||||
conf->save_linked = 0;
|
||||
|
@ -54,6 +54,7 @@ handle-unknown return HANDLE_UNKNOWN;
|
||||
bzip-blocksize return BZIP_BLOCKSIZE;
|
||||
bzip-small return BZIP_SMALL;
|
||||
remove-hll return REMOVE_HLL;
|
||||
optimize-policy return OPTIMIZE_POLICY;
|
||||
"[load_policy]" return LOAD_POLICY_START;
|
||||
"[setfiles]" return SETFILES_START;
|
||||
"[sefcontext_compile]" return SEFCONTEXT_COMPILE_START;
|
||||
|
@ -1461,6 +1461,13 @@ rebuild:
|
||||
|
||||
cil_db_destroy(&cildb);
|
||||
|
||||
/* Remove redundancies in binary policy if requested. */
|
||||
if (sh->conf->optimize_policy) {
|
||||
retval = sepol_policydb_optimize(out);
|
||||
if (retval < 0)
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
/* Write the linked policy before merging local changes. */
|
||||
retval = semanage_write_policydb(sh, out,
|
||||
SEMANAGE_LINKED);
|
||||
|
@ -47,6 +47,7 @@ typedef struct semanage_conf {
|
||||
int bzip_small;
|
||||
int remove_hll;
|
||||
int ignore_module_cache;
|
||||
int optimize_policy;
|
||||
char *ignoredirs; /* ";" separated of list for genhomedircon to ignore */
|
||||
struct external_prog *load_policy;
|
||||
struct external_prog *setfiles;
|
||||
|
Loading…
Reference in New Issue
Block a user