[systemd-devel] SELinux support takes up ~15MB of memory?
Daniel J Walsh
dwalsh at redhat.com
Fri Jan 7 06:40:53 PST 2011
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/07/2011 09:33 AM, Lennart Poettering wrote:
> On Fri, 07.01.11 09:22, Daniel J Walsh (dwalsh at redhat.com) wrote:
>
>>> The data must be accessible at runtime hence the only real improvement
>>> we could do here is if libselinux would be able to share the loaded
>>> policy in some way, using mmap. But maybe they are already doing this.
>>>
>>> Anyway, I think this needs to be optimized more in libselinux than in
>>> systemd, so I'd encourage you to ping the selinux folks about this!
>>>
>>> Lennart
>>>
>>
>> Well it is keeping the entire file context tree labeling tree in memory.
>>
>> The file /etc/selinux/targeted/context/files/file_contexts compiled into
>> Regexs. One optimization would be to only load the the directories that
>> systemd is going to create files in, rather then the hole tree. For
>> example I think you can say load only the regex starting with /var if
>> systemd is only going to create and label content under /var. This
>> would cause the size to shring considerably
>
> Hmm, can we start with an empty loaded policy and then load additional
> parts of it as we go? i.e. if we encounter a socket /foo/bar/waldo we
> ask libselinux to load /foo/bar, and so on? Most likely 90% of the
> sockets will be in the same dir anyway (/var/run), so after the first
> socket everything we need should be loaded most of the time. However,
> since sockets can be configured dynamically to any place we might need
> to load policy for other areas, too. Hence if we could load hte policy
> bit by bit we should get relatively nice behaviour and only load a
> minimal subset of the policy into memory.
>
> Lennart
>
I think the library functions are there to do this, but you would have
to do the management of the paths. libselinux I believe does not have
the capability to add a path after the initial load but you could have a
link list of paths connected to blobs of regexes.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk0nJfUACgkQrlYvE4MpobMc7wCg1zTXuTM3RGw8xdtjHaam6qwh
X4IAoN4A6otCI+FYBvbOMCexyUC/rtbm
=+LZF
-----END PGP SIGNATURE-----
More information about the systemd-devel
mailing list