On Tue, 2009-08-04 at 10:11 -0400, Joshua Brindle wrote: > > From: Stephen Smalley [mailto:sds@xxxxxxxxxxxxx] > > > > Allow the administrator to customize the bzip block size and "small" > > flag via semanage.conf. After applying you can add entries > > like these to your /etc/selinux/semanage.conf to trade off > > memory vs disk space (block size) and to trade off memory vs > > runtime (small): > > > > bzip-blocksize=4 > > bzip-small=1 > > > > You can also disable bzip compression altogether for your module store > > via: > > bzip-blocksize=0 > > > > Are these the right config entries for everyone? Why not just have a max > compression, less compression, no compression kind of scheme? How badly > can you mess up the compression by putting semi-random values in these > fields? The default values in the absence of any semanage.conf entries will remain blocksize 9, small 0 (i.e. maximize compression and minimize decompression runtime at a cost in memory use). If the admin chooses to configure entries in semanage.conf, then he can use any value from 0 (no compression) through 9 for blocksize, and if he uses anything outside of that range he'll get an error upon attempting to insert a module (it will fail in bzip when trying to write the module file). bzip-small gets treated as a boolean so any non-zero value will cause it to optimize for memory use over runtime during decompression. I can't see any situation where the admin can hurt himself without knowing about it, as it requires manual configuration to change the defaults, setting bzip-blocksize > 9 will be immediately evident upon the next attempt to run semodule, setting bzip-small to any non-zero value is treated identically to setting it to 1, and the two values are completely independent of one another. And admins will already be familiar with the -1 through -9 options of bzip2 and gzip. -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
