From: Joshua Brindle <method@manicmethod.com>
To: russell@coker.com.au
Cc: SE-Linux <selinux@tycho.nsa.gov>
Subject: Re: semodule memory use
Date: Wed, 10 Sep 2008 08:59:09 -0400 [thread overview]
Message-ID: <48C7C49D.4030706@manicmethod.com> (raw)
In-Reply-To: <200809101403.15762.russell@coker.com.au>
Russell Coker wrote:
> On Wednesday 10 September 2008 12:01, Joshua Brindle <method@manicmethod.com>
> wrote:
>> Russell Coker wrote:
>>> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=495786
>>>
>>> I've received the above bug report against the Debian policy packages.
>>> The operation in question is "semodule -b" followed by "semodule -i".
>>>
>>> I haven't had time to work on this (and won't until well after Lenny is
>>> released). But if anyone has any quick ideas of how to reduce memory use
>>> by semodule then I would be interested to hear them.
>> how big is the policy in terms of rules? if it is even close to the size of
>> fedora's there is no chance of it running in under 32 meg.
>
> Debian's policy is probably slightly larger than Fedora's, and is it uses
> modules more it probably requires more memory while it's processing.
>
> Fortunately the machines in question have swap space, but it's apparently
> excessively slow.
>
>> You'll need a significantly smaller policy to reduce the memory usage.
>> There is no quick answer, we've already picked most of the low hanging
>> fruit (releasing modules earlier, consuming the linked policy while
>> expanding, reducing the size of the type datum, etc).
>
> For at least four years I've been meaning to reduce the size of the Postfix
> policy. I expect that I can reduce it quite a bit without reducing the
> protection, when I first wanted to do this there were no tools to analyse the
> policy so it seemed unreasonably difficult.
>
Really I think you need a policy specifically for these devices that has a very small base and all the modules are optional. With the smallest base at only a few hundred K this will save device storage space and should be able to run semodule in the amount of ram they have.
> One thing we can do in the long-term is to set up a way of using a big machine
> to generate policy that can be used on a smaller machine.
>
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2008-09-10 12:59 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-09-10 1:50 semodule memory use Russell Coker
2008-09-10 2:01 ` Joshua Brindle
2008-09-10 4:03 ` Russell Coker
2008-09-10 12:59 ` Joshua Brindle [this message]
2008-09-10 12:05 ` Stephen Smalley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=48C7C49D.4030706@manicmethod.com \
--to=method@manicmethod.com \
--cc=russell@coker.com.au \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.