The selinux-policy rpm works by installing a bunch of binary policy modules and then in post it will call some selinux tools which take all of the modules along with local user configuration and local user modules and will build a final binary policy file. This takes a lot of time and a lot of memory. (In one test we see that this building of the final binary doubles the memory needed by anaconda during install). Obviously work needs to be done on these tools to fix both the time and the memory usage, and there is some traction along those lines but nothing substantial in the near term. Since the vast majority of users don't make any local modules or any local configuration, I suggest that we include a final version of the binary policy file inside the RPM built at rpmbuild time marked as a config file. Thus if a user makes no local changes to selinux policy the rpm install/update will just drop a new final policy binary into place and will never locally run the policy compilation tools. My suggestion (and here is where I need people who understand rpm) was that in post we could test for the existence of a .rpmsave final binary policy file. If we found it we would know that the user had some local configuration and that their final binary policy was not the same as the one included inside the rpm. Thus we could delete the .rpmsave and run the tools to rebuild a final binary policy on the end station. This should mean that the vast majority of people never customize or change their selinux policy never run these tools and save a lot of time and ram installing/updating the policy rpm. Is there a better way to do this in RPM? Is there a good way to handle files which are created from a combination of rpm contents and local files? Thanks everyone! -Eric _______________________________________________ Rpm-list mailing list Rpm-list@xxxxxxxxxxxxx http://lists.rpm.org/mailman/listinfo/rpm-list
