On Fri, Nov 11, 2016 at 1:58 AM, Chris PeBenito <pebenito@xxxxxxxx> wrote:
On 11/08/16 10:29, Stephen Smalley wrote:
On 11/08/2016 10:21 AM, Stephen Smalley wrote:
On 11/07/2016 04:51 AM, Laurent Bigonville wrote:
From: Laurent Bigonville <bigon@xxxxxxxx>
Add python3 support for sepolicy
Signed-off-by: Laurent Bigonville <bigon@xxxxxxxx>
---
policycoreutils/sepolicy/selinux_client.py | 6 ++--
policycoreutils/sepolicy/sepolicy.py | 38 ++++++++++++------------
policycoreutils/sepolicy/sepolicy/__init__.py | 16 ++++++----
policycoreutils/sepolicy/sepolicy/communicate.py | 4 +--
policycoreutils/sepolicy/sepolicy/generate.py | 30 +++++++++----------
policycoreutils/sepolicy/sepolicy/interface.py | 14 ++++++---
policycoreutils/sepolicy/sepolicy/manpage.py | 7 +++--
7 files changed, 65 insertions(+), 50 deletions(-)
make test doesn't pass in policycoreutils/sepolicy, although I'm not
sure that's new to this patch. I think the manpage ones were already
failing; I don't recall the network one hanging before though. But
maybe that is because I wasn't testing with setools3 fully removed before?
Oh, I guess it is just very slow with setools4. It did finally complete
sepolicy network -d and has moved on (next slow/hanging one is
transition -t).
Yes, sadly setools4 is slower. I haven't spent much time on trying to improve the performance yet (preliminary profiling seems to indicate that swig is the problem). However, looking through the sepolicy code, I found that it could use the setools code more efficiently (I realize the first matter of business was just to get it over to setools4).
The biggest win will be to minimize how many times the code iterates over all TE rules. For example, in the search function, it runs the TERuleQuery twice, when it could be done in one query. Also, for the transition command, it seems to manually implement a domain transition analysis. When I compared the sepolicy transition run time to sedta, sedta was a minute faster for the same analysis.
A few months ago (in August) I did some profiling on sesearch (from SETools 4) and found that a lot of time was spent in SWIG casting operations (like qpol_avrule_from_void). A quick patch to remove a cast (https://github.com/fishilico/setools/commit/461bf0297b950ae40ba5bcb17db0f2a19f14d560) made sesearch quite faster (I don't have the precise numbers here).
In short I believe the way the SWIG wrappers use objects (and create objects from pointers) causes a noticeable performance impact, and I have no opinion on what would be the best approach to improve the code.
Nicolas
_______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
