[yocto] [meta-selinux][PATCH] bzip SELinux policy modules in ${datadir}
Philip Tricca
flihp at twobit.us
Mon Oct 21 11:06:52 PDT 2013
The 'semodule' utility can operate on compresed modules so the only
cost of this change is a slower module load time when invoking
'semodule -i' on a running system (increased CPU load due to bzip2).
That said my tests show more than 100M reduction in ext3 image size
of core-image-selinux. This last metric is a bit skewed as the image
includes two policies. Still, a reduction in the size of the refpolicy
package by 1/2 is significant.
Signed-off-by: Philip Tricca <flihp at twobit.us>
---
recipes-security/refpolicy/refpolicy_common.inc | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/recipes-security/refpolicy/refpolicy_common.inc b/recipes-security/refpolicy/refpolicy_common.inc
index 873d887..0ca0b9d 100644
--- a/recipes-security/refpolicy/refpolicy_common.inc
+++ b/recipes-security/refpolicy/refpolicy_common.inc
@@ -12,7 +12,7 @@ SRC_URI += "file://customizable_types \
S = "${WORKDIR}/refpolicy"
FILES_${PN} = "${sysconfdir}/selinux/${POLICY_NAME}/ \
- ${datadir}/selinux/${POLICY_NAME}/*.pp"
+ ${datadir}/selinux/${POLICY_NAME}/*.pp.bz2"
FILES_${PN}-dev =+ "${datadir}/selinux/${POLICY_NAME}/include/"
DEPENDS += "checkpolicy-native policycoreutils-native m4-native"
@@ -67,11 +67,12 @@ EOF
mkdir -p ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/modules
mkdir -p ${D}${sysconfdir}/selinux/${POLICY_NAME}/contexts/files
touch ${D}${sysconfdir}/selinux/${POLICY_NAME}/contexts/files/file_contexts.local
- bzip2 -c ${D}${datadir}/selinux/${POLICY_NAME}/base.pp > \
- ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/base.pp
for i in ${D}${datadir}/selinux/${POLICY_NAME}/*.pp; do
+ bzip2 $i
if [ "`basename $i`" != "base.pp" ]; then
- bzip2 -c $i > ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/modules/`basename $i`;
+ cp ${i}.bz2 ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/modules/`basename $i`
+ else
+ cp ${i}.bz2 ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/`basename $i`
fi
done
--
1.7.10.4
More information about the yocto
mailing list