There was some discussion about bzip compressing policy modules (actually policy packages). The attached patch implements this. The patch is not ready for merging - I'm trying to get feedback since there was opposition to this approach when proposed. This patch should probably wait until after a stable branch is created. The patch implements this support by changing sepol_policy_file_t to support decompressing files or memory areas into a private memory copy. This support is optional - dlopen is used so that a hard dependency to libbz2 is not introduced. I took the approach of decompressing the entire file or memory area because: * It is very simple * The current code depends on the ability to seek within policy files - this is not really possible within compressed streams using the bzip2 library. The downsides are: * Increased memory usage * No transparent support for compressed writing with an fd based policy file. I didn't want to add additional set functions - I would have preferred to allow sepol_policy_file_set_[mem,fd] to transparently open compressed streams with functions to set other behaviors as options stored in sepol_policy_file_t structs. This was not possible becuase the current set functions do not return errors. Comments appreciated. Some very crude benchmarking below (note that I am using a patched semodule to allow the globbing syntax - patch for that to follow). The summary is that there is substantial space savings at the expense of some increase in time to complete common actions. An acceptable trade-off in my opinion. Anyone have suggestions for something as simple as time but for max memory usage? Karl Uncompressed ------------ [root@localhost modules]# time semodule -b /usr/share/selinux/strict/base.pp real 0m15.849s user 0m14.791s sys 0m0.930s [root@localhost nobz-modules]# time semodule -i *.pp real 0m15.447s user 0m14.287s sys 0m0.997s [root@localhost modules]# time semodule -l real 0m0.153s user 0m0.133s sys 0m0.017s [root@localhost modules]# du -h 17M ./active/modules 22M ./active 22M . Compressed ---------- [root@localhost modules]# time semodule -b /root/base.pp.bz2 real 0m16.117s user 0m14.729s sys 0m1.022s [root@localhost modules]# time semodule -i /root/modules/*.bz2 real 0m18.529s user 0m17.110s sys 0m1.314s [root@localhost modules]# time semodule -l real 0m0.851s user 0m0.750s sys 0m0.098s [root@localhost modules]# du -h 2.0M ./active/modules 4.9M ./active 4.9M .