This is a minor improvement to the CIL -> policydb code which will remove unused AV rules. In the past you could create 2 type attributes like so:
(typeattribute x) (typeattribute y) (type z) (typeattributeset y z) And an avrule (which would be kept in the resulting policydb): (allow x y (process (transition))) Now the avrule would be removed, since the source of the rule has no associated types. Similarly, the rule would have been removed if the target had no associated types when the source does. The exception to this rule is neverallows, since AOSP checks for them in their resulting policy.conf. There's a small difference in fedora-selinux: [root@localhost ~]# sesearch -ACS original.30 | head -1 Found 101204 semantic av rules: [root@localhost ~]# sesearch -ACS modified.30 | head -1 Found 101030 semantic av rules: And a more noticeable difference with Dominick Grift's dssp1: [root@localhost ~]# sesearch -ACS dssp_original.30 | head -1 Found 11270 semantic av rules: [root@localhost ~]# sesearch -ACS dssp_modified.30 | head -1 Found 2574 semantic av rules: Gary Tierney (1): libsepol/cil: remove avrules with no affected types libsepol/cil/src/cil_binary.c | 47 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 47 insertions(+) -- 2.4.11 _______________________________________________ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
