checkpolicy and the kernel do not agree on the binary policy file

[stephensmalley]

Unfortunately we cannot presently do a simple cmp of a policy file in the filesystem and /sys/fs/selinux/policy because there are differences in the binary image even though they are semantically identical. While sediff can be used here, it is not complete in its coverage and is an independent tool that could get out of sync anyway; it would be better if we could get the two files identical and comparable via cmp. I think I know why they currently differ (range transition order). The kernel has been enhanced over time to load the range transition rules into a hashtab with a deterministic order for the hash chains; we should do likewise in libsepol/checkpolicy so that they will match. There may still be other potential differences, e.g. if the kernel does not support the policy version of the policy file and load_policy/libsepol downgrade it in memory for loading, but this will be less common, or possibly differences in ebitmaps due to the ebitmap optimization work in the kernel (but this could also be lifted into libsepol and included in the policy format).

[stephensmalley]

Also filename transitions are another area of divergence that could lead to differences in the binary policy image; as with range transitions, the kernel now loads them into a hashtab with deterministic order for the hash chains, whereas libsepol/checkpolicy use simple unordered lists.

[stephensmalley]

CIL uses hashtabs for both, so possibly this will become moot and we only need to align the hashtabs in cil_binary.c to use the same parameters (number of buckets, hash function) as the kernel in order to make them consistent.

[stephensmalley]

Fixed by commits 8fdb225 and 2e47b69. You still need to run both the policy file and the kernel-generated policy through checkpolicy as described in the commit messages before comparing, but this does permit fast and complete comparisons between the policy file and the kernel policy.