@@ -394,7 +394,7 @@ int main(int argc, char **argv)
size_t scontext_len, pathlen;
unsigned int i;
unsigned int protocol, port;
- unsigned int binary = 0, debug = 0, sort = 0, cil = 0, conf = 0;
+ unsigned int binary = 0, debug = 0, sort = 0, cil = 0, conf = 0, optimize = 0;
struct val_to_name v;
int ret, ch, fd, target = SEPOL_TARGET_SELINUX;
unsigned int nel, uret;
@@ -419,11 +419,12 @@ int main(int argc, char **argv)
{"cil", no_argument, NULL, 'C'},
{"conf",no_argument, NULL, 'F'},
{"sort", no_argument, NULL, 'S'},
+ {"optimize", no_argument, NULL, 'O'},
{"help", no_argument, NULL, 'h'},
{NULL, 0, NULL, 0}
};
- while ((ch = getopt_long(argc, argv, "o:t:dbU:MCFSVc:h", long_options, NULL)) != -1) {
+ while ((ch = getopt_long(argc, argv, "o:t:dbU:MCFSVc:Oh", long_options, NULL)) != -1) {
switch (ch) {
case 'o':
outfile = optarg;
@@ -466,6 +467,9 @@ int main(int argc, char **argv)
case 'S':
sort = 1;
break;
+ case 'O':
+ optimize = 1;
+ break;
case 'M':
mlspol = 1;
break;
@@ -625,6 +629,15 @@ int main(int argc, char **argv)
if (policydb_load_isids(&policydb, &sidtab))
exit(1);
+ if (optimize && policydbp->policy_type == POLICY_KERN) {
+ sepol_policydb_t *spdb = (sepol_policydb_t *)policydbp;
+ ret = sepol_policydb_optimize(spdb);
+ if (ret) {
+ fprintf(stderr, "%s: error optimizing policy\n", argv[0]);
+ exit(1);
+ }
+ }
+
if (outfile) {
outfp = fopen(outfile, "w");
if (!outfp) {
Add the command-line option 'O' to checkpolicy to cause kernel policies to be optimized by calling sepol_policydb_optimize() before being written out. This option can be used on conf files and binary kernel policies, but not when converting to a conf file to CIL. Signed-off-by: James Carter <jwcart2@tycho.nsa.gov> --- checkpolicy/checkpolicy.c | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-)