From: Stephen Smalley <sds@tycho.nsa.gov>
To: Daniel J Walsh <dwalsh@redhat.com>,
Joshua Brindle <brindle@quarksecurity.com>
Cc: SELinux-NSA <SELinux@tycho.nsa.gov>
Subject: Re: [RFC] [PATCH] libsemanage: Skip policy module re-link when only setting booleans.
Date: Fri, 25 Jul 2014 15:55:59 -0400 [thread overview]
Message-ID: <53D2B64F.5020004@tycho.nsa.gov> (raw)
In-Reply-To: <53D2B4DA.7090504@redhat.com>
Effectively it would be another copy of the kernel policy file, just one
that is generated before merging local customizations (booleans, users,
ports, nodes, interface), so that we can take that kernel policy, read
it into a policydb, and mutate it rather than having to re-link the
modules to generate another one. Would allow us to avoid module
re-linking on all non-module semanage changes IIUC. Could be
compressed; just means you have to pay the cost of uncompressing it
before using it in libsemanage.
On 07/25/2014 03:49 PM, Daniel J Walsh wrote:
> How large is it? Does it matter if it is compressed?
>
> On 07/25/2014 03:45 PM, Joshua Brindle wrote:
>> Stephen Smalley wrote:
>>> Motivated by:
>>> https://bugzilla.redhat.com/show_bug.cgi?id=1098446
>>>
>>> I believe this is always safe for booleans because we only set their
>>> value; we are never adding new ones via semanage, unlike for example
>>> users, ports, nodes, and interfaces. For the rest, I was wondering why
>>> we don't save the linked file and just reuse it on those changes rather
>>> than re-linking each time - that seems like it would be straightforward
>>
>> We originally kept the linked copy around and had intended to do what
>> you are saying above but removed it when the minimal Red Hat guys
>> complained about the size of it.
>>
>>> to do in libsemanage and make those operations significantly faster and
>>> less memory intensive.
>>
>
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.
>
>
next prev parent reply other threads:[~2014-07-25 19:55 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-07-25 17:02 [RFC] [PATCH] libsemanage: Skip policy module re-link when only setting booleans Stephen Smalley
2014-07-25 18:35 ` Daniel J Walsh
2014-07-25 19:45 ` Joshua Brindle
2014-07-25 19:49 ` Daniel J Walsh
2014-07-25 19:55 ` Stephen Smalley [this message]
2014-07-25 20:04 ` Joshua Brindle
2014-07-25 20:12 ` Stephen Smalley
2014-07-29 13:15 ` Steve Lawrence
2014-07-28 18:54 ` Daniel J Walsh
2014-08-05 8:30 ` Russell Coker
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=53D2B64F.5020004@tycho.nsa.gov \
--to=sds@tycho.nsa.gov \
--cc=SELinux@tycho.nsa.gov \
--cc=brindle@quarksecurity.com \
--cc=dwalsh@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.