Re: I would like to propose that we add compression to handle allpolicy files on disk.

[Daniel J Walsh <dwalsh@redhat.com>]

Joshua Brindle wrote:
>> From: Stephen Smalley [mailto:sds@tycho.nsa.gov] 
>>
>> On Thu, 2006-11-09 at 10:13 -0500, Stephen Smalley wrote:
>>     
>>> On Thu, 2006-11-09 at 09:34 -0500, Joshua Brindle wrote:
>>>       
>
>   
>>> Sounds like dropping base.linked and making previous optional would 
>>> address the problem more effectively.  Also, do we need to keep 
>>> policy.kern after successful installation of policy.N?  If 
>>>       
>> not, we can 
>>     
>>> have libsemanage unlink it automatically after installation.
>>>       
>> Same question for any other file regenerated by every commit, 
>> although we may not get much of a savings from the others.
>> file_contexts.template, file_contexts, and netfilter_contexts 
>> are the most obvious ones.
>>
>>     
>
> Karl suggested that we can compress the policy packages but not the
> kernel policy. As long as this isn't a policy package format change
> (eg., the policy packages in /usr/share/selinux are the same they've
> always been) and it is only libsemanage manipulating the files in the
> store I'm fine with that. The module store is a private resource of
> libsemanage so nothing else should be affected in any way by this. 
>
> This will slow down some otherwise cheap operations such as semodule -l,
> rather than just opening the files and reading the policy name it'll
> have to decompress them first, I'm not sure what the performance cost
> will be.. Perhaps this should be configurable as well. 
>
> Matt Anderson also mentioned using libbz2 which is more space efficient
> and has a better security history, so embedded installations include
> that library?
>
> With bzip2 compression and nothing removed from the store I'm getting
> around 670k for the active store (so *2 if previous sticks around). With
> all the superfluous files removed the store is around 210k.
>
> What kind of size were we looking for again?
>   
What ever we can get.  This discussion started with, the minimal install 
of Fedora currently is approaching 500 Meg.  A fairly large percentage 
of this is SELinux related.  I would like to make the percentage 
insignificant.  Since most of the files sit around doing nothing.  :^)



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.