[yocto] [meta-selinux][PATCH] bzip SELinux policy modules in ${datadir}

Mon Oct 21 13:15:12 PDT 2013

[[meta-selinux][PATCH] bzip SELinux policy modules in ${datadir}] On 13.10.21 (Mon 18:06) Philip Tricca wrote:

> The 'semodule' utility can operate on compresed modules so the only
> cost of this change is a slower module load time when invoking
> 'semodule -i' on a running system (increased CPU load due to bzip2).
> That said my tests show more than 100M reduction in ext3 image size
> of core-image-selinux. This last metric is a bit skewed as the image
> includes two policies. Still, a reduction in the size of the refpolicy
> package by 1/2 is significant.

This is included in the batch of updates I've merged and are currently
staging in my tree.  FWIW, on my build I saw a similar reduction in size
to what you've reported, ~110MB, with a minor hit at load time.  As
expected there's also an increase in memory requirements at load time,
so I'm poking around a bit to see what this does to the lower-end
configurations I've got kicking around.  It'd be really nice if this was
an option rather than an on/off thing.

-J.

> 
> Signed-off-by: Philip Tricca <flihp at twobit.us>
> ---
>  recipes-security/refpolicy/refpolicy_common.inc |    9 +++++----
>  1 file changed, 5 insertions(+), 4 deletions(-)
> 
> diff --git a/recipes-security/refpolicy/refpolicy_common.inc b/recipes-security/refpolicy/refpolicy_common.inc
> index 873d887..0ca0b9d 100644
> --- a/recipes-security/refpolicy/refpolicy_common.inc
> +++ b/recipes-security/refpolicy/refpolicy_common.inc
> @@ -12,7 +12,7 @@ SRC_URI += "file://customizable_types \
>  S = "${WORKDIR}/refpolicy"
>  
>  FILES_${PN} = "${sysconfdir}/selinux/${POLICY_NAME}/ \
> -	${datadir}/selinux/${POLICY_NAME}/*.pp"
> +	${datadir}/selinux/${POLICY_NAME}/*.pp.bz2"
>  FILES_${PN}-dev =+ "${datadir}/selinux/${POLICY_NAME}/include/"
>  
>  DEPENDS += "checkpolicy-native policycoreutils-native m4-native"
> @@ -67,11 +67,12 @@ EOF
>  	mkdir -p ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/modules
>  	mkdir -p ${D}${sysconfdir}/selinux/${POLICY_NAME}/contexts/files
>  	touch ${D}${sysconfdir}/selinux/${POLICY_NAME}/contexts/files/file_contexts.local
> -	bzip2 -c ${D}${datadir}/selinux/${POLICY_NAME}/base.pp  > \
> -		${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/base.pp
>  	for i in ${D}${datadir}/selinux/${POLICY_NAME}/*.pp; do
> +		bzip2 $i
>  		if [ "`basename $i`" != "base.pp" ]; then
> -			bzip2 -c $i > ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/modules/`basename $i`;
> +			cp ${i}.bz2 ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/modules/`basename $i`
> +		else
> +			cp ${i}.bz2 ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/`basename $i`
>  		fi
>  	done
>  
-- 
-Joe MacDonald.
:wq
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://lists.yoctoproject.org/pipermail/yocto/attachments/20131021/edaef818/attachment.pgp>