-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 08/25/2011 09:35 AM, James Carter wrote: > On Thu, 2011-08-25 at 09:04 -0400, Daniel J Walsh wrote: >> On 08/25/2011 02:17 AM, Harry Ciao wrote: >>> Hi Eric, >>> >>> Eric Paris 写道: >>>> On Tue, Aug 23, 2011 at 6:08 AM, Harry Ciao >>>> wrote: >>>> >>>> >>>>> With this patchset, the size of policy.X would drop >>>>> significantly from 600+k down to 322+k bytes(since most of >>>>> tunables are default to false, and there is no else branch >>>>> of most conditionals). >>>>> >>>> >>>> I should point out that I think you're off by one order of >>>> magnitude. You went from a 6M policy to a 3.2M policy. But >>>> still. >>>> >>>> I decided to do a little playing with this yesterday in >>>> Fedora policy (where Dan already DRASTICALLY reduced the >>>> policy size by changing from type sets with removal to using >>>> all attributes. My numbers weren't quite as impressive as >>>> yours (and I'm not certain I did one thing correctly) >>>> >>>> Pre Patch: 2148552 bytes 89383 allow rules 193 booleans >>>> Post Patch (no policy changes) 2166328 bytes 89383 allow >>>> rules 193 booleans Post Patch WITH policy changes 2031150 >>>> bytes 79685 allow rules 4 booleans >>>> >>>> So our policy grows 0.8% with only the tools change. Our >>>> policy shrinks 5.5% with this change. So it certainly >>>> doesn't look like bad news. >>>> >>>> >>>> >>> No problem. I am using refpolicy from tresys tree and I have >>> applied my test patch to introduce a new keyword of "tunable" >>> and change tunable_policy() to use this tunable keyword rather >>> than the current "bool" keyword. Since your number of booleans >>> has jumped from 193 down to 4, you must have applied this patch >>> correctly :-) >>> >>> Since most tunables declared by tunable_policy() would default >>> to false and most of these tunable_policy() just has one if >>> branch, then in practice none rules would ever be expanded and >>> written to raw policy for them, that's why I have witnessed a >>> significant drop from 6M to 3.22M. >>> >>> So I could only guess in Fedora policy perhaps most tunables >>> default to true, or many tunable conditionals have two >>> branches, then the logically true branch would be expanded as >>> normal. By whatever, the size of policy.X would decrease when >>> all disabled branch of rules are discarded. >>> >> >> The Fedora policy has removed all calls that do stuff like >> >> allow XYZ_t { file_type -shadow_t }:file read; >> <> I left the interfaces but I stopped using them. I replaced them with files calls. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk5XrZYACgkQrlYvE4MpobMBhQCeMu/rdbhb6c17fgZeGbQW0I1I OkYAoNW5RAAyiCTvtwz4KO5FuK1NEnx+ =u+94 -----END PGP SIGNATURE-----