[yocto] [meta-selinux][PATCH] libsemanage: disable expand-check on policy load

Wed May 7 11:55:58 PDT 2014

For small policy modules it's not necessary to walk the hierarchy on load.
On embedded devices that are low-powered or resource-constrained disabling
the hierarchy processing can make the difference between seconds and
(many) minutes of load time (or being able to load the policy at all).

Signed-off-by: Joe MacDonald <joe at deserted.net>
---
 ...anage-disable-expand-check-on-policy-load.patch |   32 ++++++++++++++++++++
 recipes-security/selinux/libsemanage_2.2.bb        |    1 +
 2 files changed, 33 insertions(+)
 create mode 100644 recipes-security/selinux/libsemanage/libsemanage-disable-expand-check-on-policy-load.patch

diff --git a/recipes-security/selinux/libsemanage/libsemanage-disable-expand-check-on-policy-load.patch b/recipes-security/selinux/libsemanage/libsemanage-disable-expand-check-on-policy-load.patch
new file mode 100644
index 0000000..653cfbb
--- /dev/null
+++ b/recipes-security/selinux/libsemanage/libsemanage-disable-expand-check-on-policy-load.patch
@@ -0,0 +1,32 @@
+From b8c5b743c0e0435b1b89eb93c2b846bda7f132f5 Mon Sep 17 00:00:00 2001
+From: Joe MacDonald <joe at deserted.net>
+Date: Wed, 7 May 2014 11:36:27 -0400
+Subject: [PATCH] libsemanage: disable expand-check on policy load
+
+For small policy modules it's not necessary to walk the hierarchy on load.
+On embedded devices that are low-powered or resource-constrained disabling
+the hierarchy processing can make the difference between seconds and
+(many) minutes of load time (or being able to load the policy at all).
+
+Upstream-Status: Denied [upstream developers want to preserve the default
+                 checking: http://marc.info/?l=selinux&m=121794804217721&w=2]
+
+Signed-off-by: Joe MacDonald <joe at deserted.net>
+---
+ src/semanage.conf |    4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/semanage.conf b/src/semanage.conf
+index 24e1999..42050a7 100644
+--- a/src/semanage.conf
++++ b/src/semanage.conf
+@@ -36,3 +36,6 @@ module-store = direct
+ # version is necessary.
+ #policy-version = 19
+
++# Don't check the entire policy hierarchy when inserting / expanding a policy
++# module.  This results in a significant speed-up in policy loading.
++expand-check=0
+-- 
+1.7.10.4
+
diff --git a/recipes-security/selinux/libsemanage_2.2.bb b/recipes-security/selinux/libsemanage_2.2.bb
index 93daf9f..716296f 100644
--- a/recipes-security/selinux/libsemanage_2.2.bb
+++ b/recipes-security/selinux/libsemanage_2.2.bb
@@ -15,4 +15,5 @@ SRC_URI += "\
 	file://libsemanage-drop-Wno-unused-but-set-variable.patch \
 	file://libsemanage-define-FD_CLOEXEC-as-necessary.patch;striplevel=2 \
 	file://libsemanage-allow-to-disable-audit-support.patch \
+	file://libsemanage-disable-expand-check-on-policy-load.patch \
 	"
-- 
1.7.10.4


