From: Russell Coker <russell@coker.com.au>
To: Colin Walters <walters@verbum.org>
Cc: Daniel J Walsh <dwalsh@redhat.com>,
Lennart Poettering <lennart@poettering.net>,
Eric Paris <eparis@redhat.com>,
selinux@tycho.nsa.gov, sds@tycho.nsa.gov
Subject: Re: A filename to label translation daemon
Date: Tue, 14 Aug 2012 21:18:41 +1000 [thread overview]
Message-ID: <201208142118.42167.russell@coker.com.au> (raw)
In-Reply-To: <1344880524.16306.15.camel@lenny>
On Tue, 14 Aug 2012, Colin Walters <walters@verbum.org> wrote:
> Really though in the big picture, while the file context regexps were
> probably an OK solution way back when SELinux was a "proof of concept"
> prototype, the current policy generating 5000 of them is just crazy...
Actually the situation is way better than it was in the early days.
When I first started working on SE Linux the software wasn't as optimised and
the hardware was way slower. A restorecon type operation would be 99% user
CPU time, taking more than 20 minutes of CPU time for relabelling a relatively
small filesystem was common.
Having 5000 on a modern for argument sake (it's 1923 on my system, but that
depends on whether you load a policy with everything or just the modules you
need) is a lot easier than the situation in the early days with fewer regular
expressions.
> One other possibility - I bet one could get a huge speedup in some cases
> by splitting up the regexp set based on common prefixes. For example,
> if you're trying to match /tmp/krb5cc, there's no reason to run over all
> 2000 regexps which start with /usr. This solution is kind of an
> intermediate step between "run 5000 regexps serially" and "write custom
> code to compile 5000 regexps into a DFA that returns a context".
Yes, I wrote code to do that many years ago. Any regex which had a fixed
string for the first subdirectory from root would only be called for a filename
which was in the same subdirectory. The prefixes were indexed so an integer
compare would be used to determine whether a regex would be called. Regexes
which applied to multiple prefixes (EG "/.*") would be applied to all files.
But I believe that the kerberos performance problem is not calling the regexes
but loading. The current code (unless it's changed recently) will compile all
regexes, so when kerberos loads the file contexts for a check on /tmp then it
will compile all regexes under /usr, /var, and other common prefixes even when
they won't be used. I don't know how much time can be saved by skipping the
compile of those.
Another thing that could be done is that we could have an interface for
loading a file_contexts file for a specific prefix. Then the code which generates
the file_contexts file could generate files such as file_contexts_tmp which only
has entries which match /tmp (10 for the policy I use, maybe 50 or so for the
one you use) and which match everything (EG "/.*"). On my system there are 9
file_contexts entries which are not prefix specific of which one is required
("/.*") and of the others /vmlinux.* and /initrd\.img.* are obsolete and the
other 6 could be easily split to be prefix specific.
So with a minor change to the library interface (adding a new entry point so
the new library could work with old apps) we could have a program which knows
that it will only label files under /tmp only checking 11 regexes on my system
or maybe 50 on your system.
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2012-08-14 11:18 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-08-08 19:31 A filename to label translation daemon Eric Paris
2012-08-08 20:05 ` Stephen Smalley
2012-08-08 20:52 ` Daniel J Walsh
2012-08-08 20:55 ` Eric Paris
2012-08-08 21:26 ` Colin Walters
2012-08-09 14:37 ` Russell Coker
2012-08-09 17:06 ` Daniel J Walsh
2012-08-09 17:51 ` Colin Walters
[not found] ` <20120810141101.GC32076@tango.0pointer.de>
[not found] ` <20120810141747.GA909@tango.0pointer.de>
2012-08-13 17:36 ` Daniel J Walsh
2012-08-13 17:55 ` Colin Walters
2012-08-13 18:06 ` Daniel J Walsh
2012-08-14 11:18 ` Russell Coker [this message]
2012-08-14 12:38 ` Eric Paris
2012-08-14 14:01 ` Eric Paris
2012-08-14 16:48 ` Stephen Smalley
2012-08-14 17:21 ` Eric Paris
2012-08-14 22:34 ` Russell Coker
2012-08-15 5:56 ` Russell Coker
2012-08-15 13:22 ` Eric Paris
2012-08-16 23:51 ` Eric Paris
2012-08-10 2:28 ` Russell Coker
2012-08-10 12:39 ` Daniel J Walsh
2012-08-10 13:35 ` Russell Coker
2012-08-12 11:02 ` Daniel J Walsh
[not found] ` <20120810140503.GB32076@tango.0pointer.de>
2012-08-12 11:03 ` Daniel J Walsh
[not found] ` <20120813151821.GB4861@redhat.com>
2012-08-13 16:37 ` Daniel J Walsh
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=201208142118.42167.russell@coker.com.au \
--to=russell@coker.com.au \
--cc=dwalsh@redhat.com \
--cc=eparis@redhat.com \
--cc=lennart@poettering.net \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
--cc=walters@verbum.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.