On Fri, 07.01.11 09:22, Daniel J Walsh ([email protected]) wrote: > > The data must be accessible at runtime hence the only real improvement > > we could do here is if libselinux would be able to share the loaded > > policy in some way, using mmap. But maybe they are already doing this. > > > > Anyway, I think this needs to be optimized more in libselinux than in > > systemd, so I'd encourage you to ping the selinux folks about this! > > > > Lennart > > > > Well it is keeping the entire file context tree labeling tree in memory. > > The file /etc/selinux/targeted/context/files/file_contexts compiled into > Regexs. One optimization would be to only load the the directories that > systemd is going to create files in, rather then the hole tree. For > example I think you can say load only the regex starting with /var if > systemd is only going to create and label content under /var. This > would cause the size to shring considerably
Hmm, can we start with an empty loaded policy and then load additional parts of it as we go? i.e. if we encounter a socket /foo/bar/waldo we ask libselinux to load /foo/bar, and so on? Most likely 90% of the sockets will be in the same dir anyway (/var/run), so after the first socket everything we need should be loaded most of the time. However, since sockets can be configured dynamically to any place we might need to load policy for other areas, too. Hence if we could load hte policy bit by bit we should get relatively nice behaviour and only load a minimal subset of the policy into memory. Lennart -- Lennart Poettering - Red Hat, Inc. _______________________________________________ systemd-devel mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/systemd-devel
