-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 08/13/2012 01:55 PM, Colin Walters wrote: > On Mon, 2012-08-13 at 13:36 -0400, Daniel J Walsh wrote: > >> This seems like the best solution? If upstream will accept it. We >> could rebuild the regex data when semanage modifies the file context. > > One thing that will make me mildly sad about this is that now in GNOME > processes we'll have *three* regexp libraries linked in: libc, glib's PCRE > fork (it's ancient history now), and PCRE via libselinux. > > I wonder how hard it would be to get a pcre_precompile equivalent into > libc. > > Really though in the big picture, while the file context regexps were > probably an OK solution way back when SELinux was a "proof of concept" > prototype, the current policy generating 5000 of them is just crazy... > > One other possibility - I bet one could get a huge speedup in some cases by > splitting up the regexp set based on common prefixes. For example, if > you're trying to match /tmp/krb5cc, there's no reason to run over all 2000 > regexps which start with /usr. This solution is kind of an intermediate > step between "run 5000 regexps serially" and "write custom code to compile > 5000 regexps into a DFA that returns a context". > > > > > > -- This message was distributed to subscribers of the selinux mailing > list. If you no longer wish to subscribe, send mail to > majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes > as the message. > We have had a solution for this using prefixes and were trying to add some intelligence to the library, but we are now thinking this is not a good solution since we are running into potential problems with substitutions. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAlApQjMACgkQrlYvE4MpobNznACgxFNRIS8PmrgKjSLI+sKisyNn elEAoJ7qx9TI7c9lCllt5UOGmMxOEFZ9 =36+R -----END PGP SIGNATURE----- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
