On 11/13/16 11:20, Nicolas Iooss wrote:
On Fri, Nov 11, 2016 at 1:58 AM, Chris PeBenito <pebenito@xxxxxxxx <mailto:pebenito@xxxxxxxx>> wrote: On 11/08/16 10:29, Stephen Smalley wrote: Oh, I guess it is just very slow with setools4. It did finally complete sepolicy network -d and has moved on (next slow/hanging one is transition -t). Yes, sadly setools4 is slower. I haven't spent much time on trying to improve the performance yet (preliminary profiling seems to indicate that swig is the problem). However, looking through the sepolicy code, I found that it could use the setools code more efficiently (I realize the first matter of business was just to get it over to setools4). The biggest win will be to minimize how many times the code iterates over all TE rules. For example, in the search function, it runs the TERuleQuery twice, when it could be done in one query. Also, for the transition command, it seems to manually implement a domain transition analysis. When I compared the sepolicy transition run time to sedta, sedta was a minute faster for the same analysis. A few months ago (in August) I did some profiling on sesearch (from SETools 4) and found that a lot of time was spent in SWIG casting operations (like qpol_avrule_from_void). A quick patch to remove a cast (https://github.com/fishilico/setools/commit/461bf0297b950ae40ba5bcb17db0f2a19f14d560) made sesearch quite faster (I don't have the precise numbers here). In short I believe the way the SWIG wrappers use objects (and create objects from pointers) causes a noticeable performance impact, and I have no opinion on what would be the best approach to improve the code.
I've also been considering transitioning out of SWIG into cython. There's no need to support anything other than Python, it's much less magical than SWIG and easier to understand. Unfortunately that will take some effort.
-- Chris PeBenito _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
