On Tue, Apr 11, 2017 at 01:53:41PM -0400, James Carter wrote: > The number of type attributes included in the binary policy is becomming a performance issue in some cases. > > This patch set more aggressives removes attributes and gives the options to expand and remove all auto-generated attributes and all attributes with fewer than a given amount of attributes assigned. > > Comparison of the number of attributes remaining in the binary policy > mls normal android > org 310 286 255 > old 268 251 130 > max 154 20 17 > min 226 173 119 > def 224 170 80 > gen 221 170 46 > u5 191 112 59 > > Org - Number of attributes in the CIL policy > Old - Results without this patch set > Max - Remove the maximum number of attributes: "-G -X 9999" > Min - Remove the minimum number of attributes: "-X 0" > Def - The new defaults for CIL > Gen - Just removing auto-generated attributes: "-G" > U5 - Remove attributes with less than five members: "-X 5" I tried this with my policy: old defaults size: 949K typeattributes: 765 types: 1420 allow rules: 24812 new defaults size: 876K typeattributes: 641 types: 1418 allow rules: 20998 I cannot imagine where the difference went.. every aspect improved. I expected to see some trade-offs instead here. > > > James Carter (2): > libsepol/cil: Add ability to expand some attributes in binary policy > secilc: Add options to control the expansion of attributes > > libsepol/cil/include/cil/cil.h | 2 + > libsepol/cil/src/cil.c | 12 ++ > libsepol/cil/src/cil_binary.c | 253 +++++++++++++++++++++++++++---------- > libsepol/cil/src/cil_internal.h | 7 +- > libsepol/cil/src/cil_post.c | 32 +++-- > libsepol/cil/src/cil_resolve_ast.c | 25 ++-- > libsepol/src/libsepol.map.in | 2 + > secilc/secil2conf.c | 2 + > secilc/secilc.8.xml | 10 ++ > secilc/secilc.c | 31 ++++- > 10 files changed, 275 insertions(+), 101 deletions(-) > > -- > 2.7.4 > > _______________________________________________ > Selinux mailing list > Selinux@xxxxxxxxxxxxx > To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. > To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx. -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
