Re: [PATCH] disallow * and ~ in rules

[Stephen Smalley <sds@xxxxxxxxxxxxx>]

On Fri, 2005-06-24 at 23:24 +1000, Russell Coker wrote:
> I just did a quick test and found a .3% size difference.  I'm surprised, I had 
> expected that as auditallow doesn't permit an operation the rules would not 
> result in anything in the binary policy for an operation which is not 
> permitted.  Does the current behavior really make sense?

checkpolicy isn't that smart, at least not presently ;)
Same core logic is shared for allow/auditallow/auditdeny/dontaudit, see
te_avtab_helper() in policy_parse.y.  Yes, we could have it optimize
away auditallow entries for which no corresponding allow entry exists.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.