Daniel J Walsh wrote: > Joshua Brindle wrote: >> Daniel J Walsh wrote: >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> Currently selinux-policy*rpm install the pp files in >>> /usr/share/selinux/POLICYTYPE/*.pp >>> >>> Then it calls semodule on them to load the policy. libsemanage copies >>> the policy package files to /etc/selinux/targeted/modules/active, Then >>> it recopies the files to /etc/selinux/targeted/modules/previous, where >>> it finishes the assembly of the files. >>> >>> So we end up requiring three times as much space as necessary if the >>> modules are not changing. >>> >>> Policy in Rawhide is 36 megabytes. >>> >>> So on small devices or even usb sticks and cd's this is a large waste of >>> space. This patch is an attempt to use hard links when we can. >>> >>> I have not put it in production, since I wanted people who know the >>> library better then me to tell me whether it is a cracked idea. >>> >>> There is really two ideas in the patch. One is to add interfaces >>> semanage_modules_*_file which take a file instead of a block of memory. >>> semodule would then be changed to use these interfaces. >>> >>> The library then calls semanage_link, This function checks to make sure >>> the file countext of the source matches the file context of the >>> destination, if they match, the tool will attempt a link, if either >>> fails the tool will fall back to copy them. >> I'm open to the idea, I'll take a look at the patch closer as soon as I can. >> >>> I changed the write_file to unlink the destination file which would >>> remove the linked file if it exists. >>> >> Why would write_file unlink the destination? > Because the open command will truncate the real file, > > Remember with lnk_file. Active and Previous point at the same file. So > if you open write/truncate will modify both. If you unlink you will > break the link and create a new file. At least that is my understanding. >>> semanage_store has been changed, so that the creation of the sandbox is >>> via link, if possible. >>> >> Not sure what this means, you are using a link for the store itself? > Yes previous and active initially point at the same files. Wny writes > will create a new file. >>> Is this a good idea or bad? >>> >>> Also want to reinvestigate using some form of compression. >> We've talked about this before but noone has gone off and implemented it. I don't want to slow down semodule and friends for the vast majority of people who don't care about space but for installations on small devices bzip2 can provide quite a bit of savings: >> >> 33M targeted >> 1.6M targeted.compressed >> >> >> >> > I believe when I talked to Karl about this, he had implemented something > but the increased memory use caused low memory machine > 512 M to crash. > > But perhaps we could just use the extra memory when you are running semodule > > active Stores bziped files. When you create the sandbox. BUNZIP pp > files. Then when done shrink them again. This would save space for > most of the time when you are not running gzip, but would require there > to be at least 30 M of free space in order to run the command. > > One other thing I would like to eliminate is policy.kern. Which seems > to be a duplicate of policy.23 It looks like policy.kern is used for > verification, and I was wondering if we could use policy.23 in it's place. > Much of the original design decisions for libsemanage were based around the idea that anything in the store (/etc/selinux/<name>/modules/*) was wholly owned and managed by libsemanage, once files were copied out of that store I don't think we wanted to rely on them within the library. -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
