On 10/14/2016 10:32 AM, Stephen Smalley wrote:
> On 10/14/2016 10:15 AM, William Roberts wrote:
>> Is it to be expected that checkfc would actually fail on refpolicy?
>>
>> $ ./checkfc ../refpolicy/policy.30 ../refpolicy/file_contexts
>> Error: "fs_type" is not defined in this policy.
>>
>> I could comment out the validation callback... but just wondering if
>> this is expected.
> 
> Yes, you hardcoded Android-specific type attributes in checkfc,
> remember?  That's fine since it is an Android-only tool.  In Linux, we
> just runs setfiles -c /path/to/policy /path/to/file_contexts to do the
> same thing, or these days sefcontext_compile -p /path/to/policy
> /path/to/file_contexts will validate it.

Or if you want a test program that just processes file_contexts and
looks up an entry, you can use selabel_lookup or matchpathcon from
libselinux/utils.

> 
>>
>>
>> On Fri, Oct 14, 2016 at 9:08 AM, William Roberts
>> <bill.c.robe...@gmail.com> wrote:
>>> Yeah I just exported CHECKPOLICY to be the one from the AOSP tree and
>>> it only took 4 seconds.
>>>
>>> On Fri, Oct 14, 2016 at 9:07 AM, William Roberts
>>> <bill.c.robe...@gmail.com> wrote:
>>>> Likely not, I see it compiling version 29 and I am on ubuntu which is
>>>> way out of date with this stuff... should I just use the checkpolicy
>>>> from my AOSP tree?
>>>>
>>>> Or should I just install with some particular set of options from
>>>> selinux master repo?
>>>>
>>>> On Fri, Oct 14, 2016 at 9:06 AM, Stephen Smalley <s...@tycho.nsa.gov> 
>>>> wrote:
>>>>> On 10/14/2016 09:02 AM, William Roberts wrote:
>>>>>> Looks like make MONOLITHIC=y policy to get the binary policy file....
>>>>>>
>>>>>> Is it normal for checkpolicy to take 5 minutes?
>>>>>
>>>>> No, at least not with a modern checkpolicy.  Are you using a current
>>>>> version?
>>>>>
>>>>> $ time make MONOLITHIC=y policy
>>>>> Compiling refpolicy policy.30
>>>>> /usr/bin/checkpolicy -U deny policy.conf -o policy.30
>>>>> /usr/bin/checkpolicy:  loading policy configuration from policy.conf
>>>>> /usr/bin/checkpolicy:  policy configuration loaded
>>>>> /usr/bin/checkpolicy:  writing binary representation (version 30) to
>>>>> policy.30
>>>>>
>>>>> real    0m3.341s
>>>>> user    0m3.280s
>>>>> sys     0m0.061s
>>>>>
>>>>>>
>>>>>> >From TOP:
>>>>>> 31178 wcrobert  20   0  812552 751940   1628 R 100.0  4.6   4:47.36
>>>>>> checkpolicy
>>>>>>
>>>>>> On Thu, Oct 13, 2016 at 4:37 PM, Stephen Smalley <s...@tycho.nsa.gov> 
>>>>>> wrote:
>>>>>>> On 10/13/2016 03:28 PM, Roberts, William C wrote:
>>>>>>>> I was looking back at my speedup patch for nodups specs…
>>>>>>>>
>>>>>>>> http://marc.info/?l=selinux&m=147249024230263&w=2
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> I was testing before with a large, generated file_context file. I was
>>>>>>>> wondering what would be a good source for
>>>>>>>>
>>>>>>>> A desktop version of a file_contexts (textual preference as I can run
>>>>>>>> sefcontext_compile on it) file as well as a binary
>>>>>>>>
>>>>>>>> policy file….
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Should I just use refpolicy?
>>>>>>>
>>>>>>> That's probably fine, unless you happen to have Fedora installed and can
>>>>>>> just use its file_contexts file.
>>>>>>>
>>>>>>> $ cd refpolicy
>>>>>>> $ make MONOLITHIC=y conf
>>>>>>> $ make MONOLITHIC=y file_contexts
>>>>>>> $ wc -l file_contexts
>>>>>>> 4908 file_contexts
>>>>>>> $ wc -l /etc/selinux/targeted/contexts/files/file_contexts
>>>>>>> 6075 /etc/selinux/targeted/contexts/files/file_contexts
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Selinux mailing list
>>>>>>> Selinux@tycho.nsa.gov
>>>>>>> To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
>>>>>>> To get help, send an email containing "help" to 
>>>>>>> selinux-requ...@tycho.nsa.gov.
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Respectfully,
>>>>
>>>> William C Roberts
>>>
>>>
>>>
>>> --
>>> Respectfully,
>>>
>>> William C Roberts
>>
>>
>>
> 

_______________________________________________
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Reply via email to