-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/06/2011 07:28 PM, Lennart Poettering wrote: > On Sat, 04.12.10 22:57, Ran Benita ([email protected]) wrote: > >> The culprit seems to be selabel_lookup_raw which gets called by >> several functions in label.c (mostly label_mkdir and label_fix). >> These, in turn, seem to compile a great amount of regexes and store >> them in an array in an selabel_handle struct. systemd keeps around >> one called label_hnd (in label.c) in a static global variable for the >> duration of the program. >> This is what I observed from reading label.c in systemd, label_file.c >> in libselinux, and some gdb. But I may have got it completely wrong; >> It seems to keep the entire policy in memory, or something of the >> sort, but I really don't know how it's _supposed_ to work. > > This big blob is the policy data. It is loaded the first time we have to > label something and then stays in memory. > > The data must be accessible at runtime hence the only real improvement > we could do here is if libselinux would be able to share the loaded > policy in some way, using mmap. But maybe they are already doing this. > > Anyway, I think this needs to be optimized more in libselinux than in > systemd, so I'd encourage you to ping the selinux folks about this! > > Lennart >
Well it is keeping the entire file context tree labeling tree in memory. The file /etc/selinux/targeted/context/files/file_contexts compiled into Regexs. One optimization would be to only load the the directories that systemd is going to create files in, rather then the hole tree. For example I think you can say load only the regex starting with /var if systemd is only going to create and label content under /var. This would cause the size to shring considerably # wc -l /etc/selinux/targeted/contexts/files/file_contexts 3884 /etc/selinux/targeted/contexts/files/file_contexts # grep ^/var /etc/selinux/targeted/contexts/files/file_contexts | wc -l 1028 # grep ^/var/run /etc/selinux/targeted/contexts/files/file_contexts | wc -l 326 # grep ^/var/lock /etc/selinux/targeted/contexts/files/file_contexts | wc -l 10 Taking it a step father, we could decrease it even further. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0nIbAACgkQrlYvE4MpobPMdgCeKXgWBeZEOhlPrZYoGyXWbOgR iHwAnRp6VbQD7n8Kq+o0kJ4mkq3sVs8f =LzXg -----END PGP SIGNATURE----- _______________________________________________ systemd-devel mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/systemd-devel
