danwalsh


Dan Walsh's Blog

Got SELinux?


Previous Entry Share Next Entry
The incredible shrinking SELinux footprint
danwalsh
In my last blog I talked about how we have shrunk the memory used by setroubleshoot.  

Today I am going to talk about another project I have been working on:

Adding compression to SELinux policy modules
.

What happens when you install the SELinux policy package? 

In Fedora 10, the selinux-policy-targeted rpm package contains 159 policy modules, uncompressed these take up 39 Megabytes of disk space.  These modules get installed into the /usr/share/selinux/targeted directory.  The selinux-policy-targeted rpm post install script executes the semodule command on the SELinux policy modules which update the policy on disk.  After the the semodule command is run, the /usr/share/selinux/targeted files are never used again. rpm requires these files remain on disk or commands like rpm -V would fail. 

The semodule command copies the SELinux policy modules to the policy store, in /etc/selinux/targeted/modules/active directory and its subdirectories.  We now have 78 Megabytes of disk space being used.  To make matters worse, whenever semanage or semodule commands are executed, they create a sandbox environment which copies the entire contents of the "active" directory to a "previous" directory.  This allows us to restore the original environment if the commands fail.  We end up with a third copy of the policy files for a total of  117 Megabytes.    On desktop systems/laptops this is not a big problem, but using SELinux on smaller footprint machines, like liveusb sticks, OLPC, ovirt, or other small devices like cell phones, it is a huge problem.

In F10 I simply added bzip2 compression to the policy packages in the rpm.  This shrunk the size required to store the policy modules to 3 Megabytes.  But the post install still needs to uncompressed the files before installing them.   The files in the policy store and sandbox are not compressed.  The selinux-policy rpm still requires > 120 Megabytes to do the selinux-policy install.  On a normal running system we are using 36 Megabytes less space.

In F11/Rawhide, I added bzip compression directly into the SELinux policy tools,   This allows us to install the compressed policy modules directly from /usr/share/selinux/targeted and the /etc/selinux/targeted/modules/active directory contains compressed modules.  I also switched the library to use hard links instead of copying the policy packages when creating the sandbox, it only creates new files when they differ.  These changes allows the semanage/semodule commands to  require around 10 Megabytes of disk space on the system.  Giving us a 10:1 improvement in disk utilization!


Does the added compression support up the memory consumption during policy tool actions?




Yes although I try to minimize this by freeing the memory after each module. So the additional memory is only the size used to unocompress the largest module. We have not heard of a problem yet, but that is what rawhide is for.

On very small memory systems, it might be better to not run any SELinux tools on them, but to install the already compiled policy environment.

You are viewing danwalsh