[systemd-devel] SELinux support takes up ~15MB of memory?

Lennart Poettering lennart at poettering.net
Fri Jan 7 06:33:32 PST 2011


On Fri, 07.01.11 09:22, Daniel J Walsh (dwalsh at redhat.com) wrote:

> > The data must be accessible at runtime hence the only real improvement
> > we could do here is if libselinux would be able to share the loaded
> > policy in some way, using mmap. But maybe they are already doing this.
> > 
> > Anyway, I think this needs to be optimized more in libselinux than in
> > systemd, so I'd encourage you to ping the selinux folks about this!
> > 
> > Lennart
> > 
> 
> Well it is keeping the entire file context tree labeling tree in memory.
> 
> The file /etc/selinux/targeted/context/files/file_contexts compiled into
> Regexs.  One optimization would be to only load the the directories that
> systemd is going to create files in, rather then the hole tree.  For
> example I think you can say load only the regex starting with /var if
> systemd is only going to create and label content under /var.  This
> would cause the size to shring considerably

Hmm, can we start with an empty loaded policy and then load additional
parts of it as we go? i.e. if we encounter a socket /foo/bar/waldo we
ask libselinux to load /foo/bar, and so on? Most likely 90% of the
sockets will be in the same dir anyway (/var/run), so after the first
socket everything we need should be loaded most of the time. However,
since sockets can be configured dynamically to any place we might need
to load policy for other areas, too. Hence if we could load hte policy
bit by bit we should get relatively nice behaviour and only load a
minimal subset of the policy into memory.

Lennart

-- 
Lennart Poettering - Red Hat, Inc.


More information about the systemd-devel mailing list