From: Philip Tricca <flihp@twobit.us>
To: Joe MacDonald <joe@deserted.net>
Cc: yocto@yoctoproject.org
Subject: Re: [meta-selinux][PATCH] bzip SELinux policy modules in ${datadir}
Date: Wed, 04 Dec 2013 20:34:16 -0500 [thread overview]
Message-ID: <529FD818.4080300@twobit.us> (raw)
In-Reply-To: <1386106541-28801-1-git-send-email-joe@deserted.net>
On 12/03/2013 04:35 PM, Joe MacDonald wrote:
> (resending, this time including the list ...)
>
> [Re: [meta-selinux][PATCH] bzip SELinux policy modules in ${datadir}] On
> 13.10.21 (Mon 16:15) Joe MacDonald wrote:
>
>> [[meta-selinux][PATCH] bzip SELinux policy modules in ${datadir}] On 13.10.21
>> (Mon 18:06) Philip Tricca wrote:
>>
>>> The 'semodule' utility can operate on compresed modules so the only
>>> cost of this change is a slower module load time when invoking
>>> 'semodule -i' on a running system (increased CPU load due to bzip2).
>>> That said my tests show more than 100M reduction in ext3 image size
>>> of core-image-selinux. This last metric is a bit skewed as the image
>>> includes two policies. Still, a reduction in the size of the refpolicy
>>> package by 1/2 is significant.
>>
>> This is included in the batch of updates I've merged and are currently
>> staging in my tree. FWIW, on my build I saw a similar reduction in size
>> to what you've reported, ~110MB, with a minor hit at load time. As
>> expected there's also an increase in memory requirements at load time,
>> so I'm poking around a bit to see what this does to the lower-end
>> configurations I've got kicking around. It'd be really nice if this was
>> an option rather than an on/off thing.
>
> This took rather longer than I'd hoped. :-/
>
> Anyway, I tried a bunch of different configurations and didn't find a huge hit
> on memory requirements by doing this, though I still think there's an advantage
> to making this an option that can be turned off for folks where storage is cheap
> and memory and processing power is at a premium. That, and the discussion on
> the SELinux mailing list along the same line where the general feeling was that
> smaller policies are better achieved by actually having less policy rather than
> compressing it, led me to this idea.
>
> A DISTRO_FEATURE that is on by default and incorporates your patch. What do you
> think, Phil?
Sounds good Joe. Thanks for getting this one in.
- Philip
prev parent reply other threads:[~2013-12-05 1:34 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-10-21 18:06 [meta-selinux][PATCH] bzip SELinux policy modules in ${datadir} Philip Tricca
2013-10-21 20:15 ` Joe MacDonald
2013-12-03 21:35 ` Joe MacDonald
2013-12-03 21:35 ` [meta-selinux][PATCH 1/2] " Joe MacDonald
2013-12-03 21:35 ` [meta-selinux][PATCH 2/2] policy: Create compressed_policy distro feature Joe MacDonald
2013-12-05 1:34 ` Philip Tricca [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=529FD818.4080300@twobit.us \
--to=flihp@twobit.us \
--cc=joe@deserted.net \
--cc=yocto@yoctoproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.