[systemd-devel] SELinux support takes up ~15MB of memory?

[Lennart Poettering]

On Fri, 07.01.11 09:40, Daniel J Walsh (dwalsh at redhat.com) wrote:

> > Hmm, can we start with an empty loaded policy and then load additional
> > parts of it as we go? i.e. if we encounter a socket /foo/bar/waldo we
> > ask libselinux to load /foo/bar, and so on? Most likely 90% of the
> > sockets will be in the same dir anyway (/var/run), so after the first
> > socket everything we need should be loaded most of the time. However,
> > since sockets can be configured dynamically to any place we might need
> > to load policy for other areas, too. Hence if we could load hte policy
> > bit by bit we should get relatively nice behaviour and only load a
> > minimal subset of the policy into memory.
> > 
> > Lennart
> > 
> I think the library functions are there to do this, but you would have
> to do the management of the paths.  libselinux I believe does not have
> the capability to add a path after the initial load but you could have a
> link list of paths connected to blobs of regexes.

So, instead of loading one single policy blob we would basically load a
number of independent policy blobs, but always only parts of the real
thing? I guess that is quite doable, though I do wonder how the prefix
finding algorithm should best look like...

Lennart

-- 
Lennart Poettering - Red Hat, Inc.