[systemd-devel] SELinux support takes up ~15MB of memory?

Daniel J Walsh dwalsh at redhat.com
Fri Jan 7 06:22:40 PST 2011


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/06/2011 07:28 PM, Lennart Poettering wrote:
> On Sat, 04.12.10 22:57, Ran Benita (ran234 at gmail.com) wrote:
> 
>> The culprit seems to be selabel_lookup_raw which gets called by
>> several functions in label.c (mostly label_mkdir and label_fix).
>> These, in turn, seem to compile a great amount of regexes and store
>> them in an array in an selabel_handle struct. systemd keeps around
>> one called label_hnd (in label.c) in a static global variable for the
>> duration of the program.
>> This is what I observed from reading label.c in systemd, label_file.c
>> in libselinux, and some gdb. But I may have got it completely wrong;
>> It seems to keep the entire policy in memory, or something of the
>> sort, but I really don't know how it's _supposed_ to work.
> 
> This big blob is the policy data. It is loaded the first time we have to
> label something and then stays in memory.
> 
> The data must be accessible at runtime hence the only real improvement
> we could do here is if libselinux would be able to share the loaded
> policy in some way, using mmap. But maybe they are already doing this.
> 
> Anyway, I think this needs to be optimized more in libselinux than in
> systemd, so I'd encourage you to ping the selinux folks about this!
> 
> Lennart
> 

Well it is keeping the entire file context tree labeling tree in memory.

The file /etc/selinux/targeted/context/files/file_contexts compiled into
Regexs.  One optimization would be to only load the the directories that
systemd is going to create files in, rather then the hole tree.  For
example I think you can say load only the regex starting with /var if
systemd is only going to create and label content under /var.  This
would cause the size to shring considerably

# wc -l /etc/selinux/targeted/contexts/files/file_contexts
3884 /etc/selinux/targeted/contexts/files/file_contexts

# grep ^/var  /etc/selinux/targeted/contexts/files/file_contexts | wc -l
1028

# grep ^/var/run  /etc/selinux/targeted/contexts/files/file_contexts | wc -l
326
# grep ^/var/lock  /etc/selinux/targeted/contexts/files/file_contexts |
wc -l
10

Taking it a step father, we could decrease it even further.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk0nIbAACgkQrlYvE4MpobPMdgCeKXgWBeZEOhlPrZYoGyXWbOgR
iHwAnRp6VbQD7n8Kq+o0kJ4mkq3sVs8f
=LzXg
-----END PGP SIGNATURE-----


More information about the systemd-devel mailing list