8fdb225521
range transition and name-based type transition rules were originally simple unordered lists. They were converted to hashtabs in the kernel by commit 2f3e82d694d3d7a2db019db1bb63385fbc1066f3 ("selinux: convert range transition list to a hashtab") and by commit 2463c26d50adc282d19317013ba0ff473823ca47 ("SELinux: put name based create rules in a hashtable"), but left unchanged in libsepol and checkpolicy. Convert libsepol and checkpolicy to use the same hashtabs as the kernel for the range transitions and name-based type transitions. With this change and the preceding one, it is possible to directly compare a policy file generated by libsepol/checkpolicy and the kernel-generated /sys/fs/selinux/policy pseudo file after normalizing them both through checkpolicy. To do so, you can run the following sequence of commands: checkpolicy -M -b /etc/selinux/targeted/policy/policy.30 -o policy.1 checkpolicy -M -b /sys/fs/selinux/policy -o policy.2 cmp policy.1 policy.2 Normalizing the two files via checkpolicy is still necessary to ensure consistent ordering of the avtab entries. There may still be potential for other areas of difference, e.g. xperms entries may lack a well-defined order. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> |
||
---|---|---|
.. | ||
include/cil | ||
src | ||
test | ||
.gitignore |