semodule memory use

semodule memory use

[Russell Coker]

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=495786

I've received the above bug report against the Debian policy packages.  The 
operation in question is "semodule -b" followed by "semodule -i".

I haven't had time to work on this (and won't until well after Lenny is 
released).  But if anyone has any quick ideas of how to reduce memory use by 
semodule then I would be interested to hear them.

-- 
russell@coker.com.au
http://etbe.coker.com.au/          My Blog

http://www.coker.com.au/sponsorship.html Sponsoring Free Software development

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: semodule memory use

[Joshua Brindle]

Russell Coker wrote:
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=495786
> 
> I've received the above bug report against the Debian policy packages.  The 
> operation in question is "semodule -b" followed by "semodule -i".
> 
> I haven't had time to work on this (and won't until well after Lenny is 
> released).  But if anyone has any quick ideas of how to reduce memory use by 
> semodule then I would be interested to hear them.
> 

how big is the policy in terms of rules? if it is even close to the size of fedora's there is no chance of it running in under 32 meg.

You'll need a significantly smaller policy to reduce the memory usage. There is no quick answer, we've already picked most of the low hanging fruit (releasing modules earlier, consuming the linked policy while expanding, reducing the size of the type datum, etc).



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: semodule memory use

[Russell Coker]

On Wednesday 10 September 2008 12:01, Joshua Brindle <method@manicmethod.com> 
wrote:
> Russell Coker wrote:
> > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=495786
> >
> > I've received the above bug report against the Debian policy packages. 
> > The operation in question is "semodule -b" followed by "semodule -i".
> >
> > I haven't had time to work on this (and won't until well after Lenny is
> > released).  But if anyone has any quick ideas of how to reduce memory use
> > by semodule then I would be interested to hear them.
>
> how big is the policy in terms of rules? if it is even close to the size of
> fedora's there is no chance of it running in under 32 meg.

Debian's policy is probably slightly larger than Fedora's, and is it uses 
modules more it probably requires more memory while it's processing.

Fortunately the machines in question have swap space, but it's apparently 
excessively slow.

> You'll need a significantly smaller policy to reduce the memory usage.
> There is no quick answer, we've already picked most of the low hanging
> fruit (releasing modules earlier, consuming the linked policy while
> expanding, reducing the size of the type datum, etc).

For at least four years I've been meaning to reduce the size of the Postfix 
policy.  I expect that I can reduce it quite a bit without reducing the 
protection, when I first wanted to do this there were no tools to analyse the 
policy so it seemed unreasonably difficult.

One thing we can do in the long-term is to set up a way of using a big machine 
to generate policy that can be used on a smaller machine.

-- 
russell@coker.com.au
http://etbe.coker.com.au/          My Blog

http://www.coker.com.au/sponsorship.html Sponsoring Free Software development

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: semodule memory use

[Joshua Brindle]

Russell Coker wrote:
> On Wednesday 10 September 2008 12:01, Joshua Brindle <method@manicmethod.com> 
> wrote:
>> Russell Coker wrote:
>>> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=495786
>>>
>>> I've received the above bug report against the Debian policy packages. 
>>> The operation in question is "semodule -b" followed by "semodule -i".
>>>
>>> I haven't had time to work on this (and won't until well after Lenny is
>>> released).  But if anyone has any quick ideas of how to reduce memory use
>>> by semodule then I would be interested to hear them.
>> how big is the policy in terms of rules? if it is even close to the size of
>> fedora's there is no chance of it running in under 32 meg.
> 
> Debian's policy is probably slightly larger than Fedora's, and is it uses 
> modules more it probably requires more memory while it's processing.
> 
> Fortunately the machines in question have swap space, but it's apparently 
> excessively slow.
> 
>> You'll need a significantly smaller policy to reduce the memory usage.
>> There is no quick answer, we've already picked most of the low hanging
>> fruit (releasing modules earlier, consuming the linked policy while
>> expanding, reducing the size of the type datum, etc).
> 
> For at least four years I've been meaning to reduce the size of the Postfix 
> policy.  I expect that I can reduce it quite a bit without reducing the 
> protection, when I first wanted to do this there were no tools to analyse the 
> policy so it seemed unreasonably difficult.
> 

Really I think you need a policy specifically for these devices that has a very small base and all the modules are optional. With the smallest base at only a few hundred K this will save device storage space and should be able to run semodule in the amount of ram they have.

> One thing we can do in the long-term is to set up a way of using a big machine 
> to generate policy that can be used on a smaller machine.
> 


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: semodule memory use

[Stephen Smalley]

On Wed, 2008-09-10 at 11:50 +1000, Russell Coker wrote:
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=495786
> 
> I've received the above bug report against the Debian policy packages.  The 
> operation in question is "semodule -b" followed by "semodule -i".
> 
> I haven't had time to work on this (and won't until well after Lenny is 
> released).  But if anyone has any quick ideas of how to reduce memory use by 
> semodule then I would be interested to hear them.

Set expand-check = 0 in /etc/selinux/semanage.conf.
The downside is you'll lose neverallow and hierarchy checking at module
insertion time (but you can get them back at policy build time for the
modules you provide by doing a make validate in refpolicy).  The upside
is that it doesn't have to expand the attributes in rules nor walk them
for neverallow checking or hierarchy checking.

BTW, hierarchy checking really ought to be conditional on whether there
is any hierarchy at all, the way that neverallow checking immediately
returns if there were no neverallow rules.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.