On Mon, 2012-08-13 at 13:36 -0400, Daniel J Walsh wrote: > This seems like the best solution? If upstream will accept it. We could > rebuild the regex data when semanage modifies the file context. One thing that will make me mildly sad about this is that now in GNOME processes we'll have *three* regexp libraries linked in: libc, glib's PCRE fork (it's ancient history now), and PCRE via libselinux. I wonder how hard it would be to get a pcre_precompile equivalent into libc. Really though in the big picture, while the file context regexps were probably an OK solution way back when SELinux was a "proof of concept" prototype, the current policy generating 5000 of them is just crazy... One other possibility - I bet one could get a huge speedup in some cases by splitting up the regexp set based on common prefixes. For example, if you're trying to match /tmp/krb5cc, there's no reason to run over all 2000 regexps which start with /usr. This solution is kind of an intermediate step between "run 5000 regexps serially" and "write custom code to compile 5000 regexps into a DFA that returns a context". -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
