On 08/25/11 22:22, Eric Paris wrote:
> On 08/25/2011 09:17 PM, Harry Ciao wrote:
>> Daniel J Walsh 写�:
>>> The Fedora policy has removed all calls that do stuff like
>>>
>>> allow XYZ_t { file_type -shadow_t }:file read;
>>>
>>> Which generates hundreds/thousands of rules when run though the M4
>>> Macro, since it writes a rule for each file_type except the shadow_t.
>>> Anywhere in policy that we use this construct has to be reworked and
>>> this shrunk the policy by 90%. Your enhancement just adds another 5%
>>> reduction after this change. I sent a patch to refpolicy yesterday to
>>> fix the coreutils interfaces that we doing something like this.
>>>
>>>
>>>
>> I don't know much about Fedora policy, but for upstream refpolicy and
>> toolchain my patch would contribute 45% size reduction for raw policy
>> and before I sent my patchset out for review I had not seen your patch.
>>
>> Anyway, it would be fantastic to have your patch to further drastically
>> reduce the raw policy size, the whole community would benefit from each
>> single contributor's effort like this.
>
> Agreed. I'm excited about both approaches (reducing the policy size by
> using attributes and eliminating needless unused portions of booleans).
> I'm glad to see Dan pushing his changes. Once this patch set is
> finished I'll be very happy to see a further 5-6% reduction in the
> policy size of Fedora!
I merged Dan's patch into Refpolicy. With all modules on, and using a
monolithic build for easy comparison, it reduced the policy.26 from
5.9MB to 4.5MB, a 23.7% reduction. Its too bad we don't have an
optimizing compiler that can do these optimizations automatically.
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
