[[meta-selinux][PATCH] bzip SELinux policy modules in ${datadir}] On 13.10.21
(Mon 18:06) Philip Tricca wrote:
> The 'semodule' utility can operate on compresed modules so the only
> cost of this change is a slower module load time when invoking
> 'semodule -i' on a running system (increased CPU load due to bzip2).
> That said my tests show more than 100M reduction in ext3 image size
> of core-image-selinux. This last metric is a bit skewed as the image
> includes two policies. Still, a reduction in the size of the refpolicy
> package by 1/2 is significant.
This is included in the batch of updates I've merged and are currently
staging in my tree. FWIW, on my build I saw a similar reduction in size
to what you've reported, ~110MB, with a minor hit at load time. As
expected there's also an increase in memory requirements at load time,
so I'm poking around a bit to see what this does to the lower-end
configurations I've got kicking around. It'd be really nice if this was
an option rather than an on/off thing.
-J.
>
> Signed-off-by: Philip Tricca <fl...@twobit.us>
> ---
> recipes-security/refpolicy/refpolicy_common.inc | 9 +++++----
> 1 file changed, 5 insertions(+), 4 deletions(-)
>
> diff --git a/recipes-security/refpolicy/refpolicy_common.inc
> b/recipes-security/refpolicy/refpolicy_common.inc
> index 873d887..0ca0b9d 100644
> --- a/recipes-security/refpolicy/refpolicy_common.inc
> +++ b/recipes-security/refpolicy/refpolicy_common.inc
> @@ -12,7 +12,7 @@ SRC_URI += "file://customizable_types \
> S = "${WORKDIR}/refpolicy"
>
> FILES_${PN} = "${sysconfdir}/selinux/${POLICY_NAME}/ \
> - ${datadir}/selinux/${POLICY_NAME}/*.pp"
> + ${datadir}/selinux/${POLICY_NAME}/*.pp.bz2"
> FILES_${PN}-dev =+ "${datadir}/selinux/${POLICY_NAME}/include/"
>
> DEPENDS += "checkpolicy-native policycoreutils-native m4-native"
> @@ -67,11 +67,12 @@ EOF
> mkdir -p ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/modules
> mkdir -p ${D}${sysconfdir}/selinux/${POLICY_NAME}/contexts/files
> touch
> ${D}${sysconfdir}/selinux/${POLICY_NAME}/contexts/files/file_contexts.local
> - bzip2 -c ${D}${datadir}/selinux/${POLICY_NAME}/base.pp > \
> - ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/base.pp
> for i in ${D}${datadir}/selinux/${POLICY_NAME}/*.pp; do
> + bzip2 $i
> if [ "`basename $i`" != "base.pp" ]; then
> - bzip2 -c $i >
> ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/modules/`basename $i`;
> + cp ${i}.bz2
> ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/modules/`basename $i`
> + else
> + cp ${i}.bz2
> ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/`basename $i`
> fi
> done
>
--
-Joe MacDonald.
:wq
signature.asc
Description: Digital signature
_______________________________________________ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
