Russell Coker wrote: > On Wednesday 10 September 2008 12:01, Joshua Brindle <method@xxxxxxxxxxxxxxx> > wrote: >> Russell Coker wrote: >>> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=495786 >>> >>> I've received the above bug report against the Debian policy packages. >>> The operation in question is "semodule -b" followed by "semodule -i". >>> >>> I haven't had time to work on this (and won't until well after Lenny is >>> released). But if anyone has any quick ideas of how to reduce memory use >>> by semodule then I would be interested to hear them. >> how big is the policy in terms of rules? if it is even close to the size of >> fedora's there is no chance of it running in under 32 meg. > > Debian's policy is probably slightly larger than Fedora's, and is it uses > modules more it probably requires more memory while it's processing. > > Fortunately the machines in question have swap space, but it's apparently > excessively slow. > >> You'll need a significantly smaller policy to reduce the memory usage. >> There is no quick answer, we've already picked most of the low hanging >> fruit (releasing modules earlier, consuming the linked policy while >> expanding, reducing the size of the type datum, etc). > > For at least four years I've been meaning to reduce the size of the Postfix > policy. I expect that I can reduce it quite a bit without reducing the > protection, when I first wanted to do this there were no tools to analyse the > policy so it seemed unreasonably difficult. > Really I think you need a policy specifically for these devices that has a very small base and all the modules are optional. With the smallest base at only a few hundred K this will save device storage space and should be able to run semodule in the amount of ram they have. > One thing we can do in the long-term is to set up a way of using a big machine > to generate policy that can be used on a smaller machine. > -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
