From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from goalie.tycho.ncsc.mil (goalie [144.51.3.250]) by tarius.tycho.ncsc.mil (8.13.1/8.13.1) with ESMTP id p7QEBEL8016122 for ; Fri, 26 Aug 2011 10:11:14 -0400 Received: from exchange10.columbia.tresys.com (localhost [127.0.0.1]) by msux-gh1-uea01.nsa.gov (8.12.10/8.12.10) with ESMTP id p7QEBD7u023341 for ; Fri, 26 Aug 2011 14:11:13 GMT Message-ID: <4E57A97F.6000401@tresys.com> Date: Fri, 26 Aug 2011 10:11:11 -0400 From: "Christopher J. PeBenito" MIME-Version: 1.0 To: Eric Paris CC: , Daniel J Walsh , Eric Paris , , Subject: Re: v0 Separate tunables from booleans References: <1314094112-6477-1-git-send-email-qingtao.cao@windriver.com> <4E55E8E7.1050804@windriver.com> <4E564860.2090502@redhat.com> <4E56F435.1080608@windriver.com> <4E57036F.4070900@redhat.com> In-Reply-To: <4E57036F.4070900@redhat.com> Content-Type: text/plain; charset="windows-1252" Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov On 08/25/11 22:22, Eric Paris wrote: > On 08/25/2011 09:17 PM, Harry Ciao wrote: >> Daniel J Walsh 写道: >>> The Fedora policy has removed all calls that do stuff like >>> >>> allow XYZ_t { file_type -shadow_t }:file read; >>> >>> Which generates hundreds/thousands of rules when run though the M4 >>> Macro, since it writes a rule for each file_type except the shadow_t. >>> Anywhere in policy that we use this construct has to be reworked and >>> this shrunk the policy by 90%. Your enhancement just adds another 5% >>> reduction after this change. I sent a patch to refpolicy yesterday to >>> fix the coreutils interfaces that we doing something like this. >>> >>> >>> >> I don't know much about Fedora policy, but for upstream refpolicy and >> toolchain my patch would contribute 45% size reduction for raw policy >> and before I sent my patchset out for review I had not seen your patch. >> >> Anyway, it would be fantastic to have your patch to further drastically >> reduce the raw policy size, the whole community would benefit from each >> single contributor's effort like this. > > Agreed. I'm excited about both approaches (reducing the policy size by > using attributes and eliminating needless unused portions of booleans). > I'm glad to see Dan pushing his changes. Once this patch set is > finished I'll be very happy to see a further 5-6% reduction in the > policy size of Fedora! I merged Dan's patch into Refpolicy. With all modules on, and using a monolithic build for easy comparison, it reduced the policy.26 from 5.9MB to 4.5MB, a 23.7% reduction. Its too bad we don't have an optimizing compiler that can do these optimizations automatically. -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.