Casey Schaufler wrote:
On 11/2/2013 9:42 AM, Sven Vermeulen wrote:
On Wed, Oct 30, 2013 at 9:36 PM, Daniel J Walsh<dwalsh@xxxxxxxxxx> wrote:
[...]
On 10/30/2013 03:31 PM, Daniel J Walsh wrote:
We are trying to shrink out cloud image as small as possible. One idea
was to shrink SELinux Policy footprint by adding compression to it.
[...]
Personally, I'd much rather see work done on shrinking the actual policy
size in Fedora rather than just compressing it. Both by reducing the
overall size of refpolicy through coalescing similar domains/types and by
making better use of the work that has already been done to support putting
policy modules into rpms and only installing what actually get used.
[...]
Well we have done some work on combining like domains, see antivirus and
spamassassin, but this is a lot of work which no one has time for.
I would love to see the mailserver and mailclients domains combined.
If people want to suggest or more importantly submit patches to combine other
domains, I am all for it.
Problems with shipping policy within rpm still exists. although we (Red Hat)
are at least moving toward layered products shipping their own policy.
openstack-selinux, openshift-selinux, gluster-selinux. This is more for them
updating quicker then RHEL.
In Gentoo, we try to only install the SELinux policies related to the
package that is installed. So if a system does not have a web server,
no httpd policies are loaded. This works pretty well. My workstation
(which is where I do all my SELinux policy development on) has 100
policy modules loaded; my servers usually have around 50 to 60 modules
loaded. That makes running things like "semodule -B" rather smooth.
Not really fast, but one doesn't need to switch to another thing to do
while waiting (4 seconds on a VM I'm currently playing with).
A lot of work is being done to improve the start-up time
of consumer (e.g. phones) devices and "disposable" VMs. We're
talking about people getting their knickers in a twist over
security adding 20 milliseconds to the boot process. Your
4 second semodule run is not going to fly.
semodule has nothing to do with the boot process. It is used to rebuild
policies when something changes, e.g., a module is added or removed from
the policy.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
