mirror of
https://github.com/SELinuxProject/selinux
synced 2025-03-06 18:27:40 +00:00
3904db5ac9
CIL does not have any concept of require blocks. Instead, CIL relies on whether or not all statements inside an optional block resolve to determine if an optional block should be enabled/disabled. However, a small number of optional statements require a type that is not actually used in the optional block. In old style policy, this would cause the optional block to be disabled. However, in CIL, because the type is never used, the optional block will remain enabled. To maintain compatibility, we modify pp2cil to create a new attribute, cil_gen_require, and all types/roles/attributes that are required in a pp module/optional block are associated with this attribute. Thus, if a type is required but not used, it will still fail to resolve in the typeattributeset statement, causing the optional to correctly be disabled. Note that when compiling the CIL this generated from compiling refpolicy pp modules with pp2cil, the extra CIL statements cause ~12.6MB increase in maximum memory usage (129.7 MB to 142.3 MB). Though, compilation time decreases by ~35% (26 seconds to 17 seconds). Signed-off-by: Steve Lawrence <slawrence@tresys.com> Reviewed-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com> Reported-by: Sven Vermeulen <sven.vermeulen@siphos.be> |
||
|---|---|---|
| checkpolicy | ||
| libselinux | ||
| libsemanage | ||
| libsepol | ||
| policycoreutils | ||
| scripts | ||
| sepolgen | ||
| .gitignore | ||
| Makefile | ||
| README | ||
To build and install everything under a private directory, run: make DESTDIR=~/obj install install-pywrap To install as the default system libraries and binaries (overwriting any previously installed ones - dangerous!), on x86_64, run: make LIBDIR=/usr/lib64 SHLIBDIR=/lib64 install install-pywrap relabel or on x86 (32-bit), run: make install install-pywrap relabel This may render your system unusable if the upstream SELinux userspace lacks library functions or other dependencies relied upon by your distribution. If it breaks, you get to keep both pieces.