-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/07/2011 09:33 AM, Lennart Poettering wrote: > On Fri, 07.01.11 09:22, Daniel J Walsh ([email protected]) wrote: > >>> The data must be accessible at runtime hence the only real improvement >>> we could do here is if libselinux would be able to share the loaded >>> policy in some way, using mmap. But maybe they are already doing this. >>> >>> Anyway, I think this needs to be optimized more in libselinux than in >>> systemd, so I'd encourage you to ping the selinux folks about this! >>> >>> Lennart >>> >> >> Well it is keeping the entire file context tree labeling tree in memory. >> >> The file /etc/selinux/targeted/context/files/file_contexts compiled into >> Regexs. One optimization would be to only load the the directories that >> systemd is going to create files in, rather then the hole tree. For >> example I think you can say load only the regex starting with /var if >> systemd is only going to create and label content under /var. This >> would cause the size to shring considerably > > Hmm, can we start with an empty loaded policy and then load additional > parts of it as we go? i.e. if we encounter a socket /foo/bar/waldo we > ask libselinux to load /foo/bar, and so on? Most likely 90% of the > sockets will be in the same dir anyway (/var/run), so after the first > socket everything we need should be loaded most of the time. However, > since sockets can be configured dynamically to any place we might need > to load policy for other areas, too. Hence if we could load hte policy > bit by bit we should get relatively nice behaviour and only load a > minimal subset of the policy into memory. > > Lennart > I think the library functions are there to do this, but you would have to do the management of the paths. libselinux I believe does not have the capability to add a path after the initial load but you could have a link list of paths connected to blobs of regexes. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk0nJfUACgkQrlYvE4MpobMc7wCg1zTXuTM3RGw8xdtjHaam6qwh X4IAoN4A6otCI+FYBvbOMCexyUC/rtbm =+LZF -----END PGP SIGNATURE----- _______________________________________________ systemd-devel mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/systemd-devel
