On 12.6.2020 3.03, Russell Coker wrote:
The reference policy is getting an increasing number of domains and types with an O(N^2) level of complexity for writing policy and an O(N^2) size of the binary policy. In 2012 the binary policy on my machines was 560k, now it's over 2M.
The policy can be shrunk by disabling unused modules, mine is 760k because only 166 modules are enabled out of 506. Some of the modules are for more or less obsolete software (e.g. hal, rlogin, uucp), or they may target proprietary software, which may be of unknown relevance today. Perhaps they should be disabled by default, removed from refpolicy or moved aside to directory "extra" or "Attic"?
The package installer could also propose groups like "all", "most", "recommended", "distro-only" (disable all 3rd party stuff), "minimal" to enable/disable modules.
-Topi
