danwalsh


Dan Walsh's Blog

Got SELinux?


Previous Entry Add to Memories Share Next Entry
SELinux Policy RPM in Rawhide/F16 includes prebuilt policy file.
danwalsh
The selinux-policy-TYPE packages has always rebuilt the policy in their post install.  We do this in order to merge any customizations to the policy that an administrator might have made.  The selinux policy rpm package also needs to rebuild the policy if any policies were installed by other rpms or  by the administrator.

Over time as the size of policy has grown and gotten more complex, the installation procedure has required more memory and more time.  We have seen stats stating during installations, one of the biggest memory hogs was the selinux-policy-targeted package.

Over the last couple of weeks,  I decided to re-examine the situation.  

The selinux-policy-TYPE packages will now ship with a pre-built policy package and will only rebuild the policy iff the existing policy has been customized.  

The following test shows a 4 times speedup on installing the package 48 Seconds -> 12 Seconds.  And max Memory Usage from 38 M to 6 Meg.

Modified:
# time -v rpm -Uhv /home/devel/dwalsh/sources/RPMS/noarch/selinux-policy-targeted-3.9.16-29.1.fc16.noarch.rpm --force
Preparing...                ########################################### [100%]
   1:selinux-policy-targeted########################################### [100%]
    Command being timed: "rpm -Uhv /home/devel/dwalsh/sources/RPMS/noarch/selinux-policy-targeted-3.9.16-29.1.fc16.noarch.rpm --force"
<snip>
    Elapsed (wall clock) time (h:mm:ss or m:ss): 0:48.11
<snip>
    Maximum resident set size (kbytes): 377608
<snip>  

Unmodified:
# time -v rpm -Uhv /home/devel/dwalsh/sources/RPMS/noarch/selinux-policy-targeted-3.9.16-29.1.fc16.noarch.rpm --force
Preparing...                ########################################### [100%]
   1:selinux-policy-targeted########################################### [100%]
    Command being timed: "rpm -Uhv /home/devel/dwalsh/sources/RPMS/noarch/selinux-policy-targeted-3.9.16-29.1.fc16.noarch.rpm --force"
<snip>
    Elapsed (wall clock) time (h:mm:ss or m:ss): 0:12.32
<snip>
    Maximum resident set size (kbytes): 60112
<snip>


You will only see this improvement on a fresh install.  And should continue to see it on all updates, although updates can still do a partial relabel after install. 

If you are doing an update and would like to see the improvement, you can do the following.

# setenforce 0
# rm -rf /etc/selinux/targeted
# yum -y reinstall selinux-policy selinux-policy-targeted
# restorecon -R -v /etc/selinux/targeted
# setenforce 1


Then you would be seen as a fresh install.

Try it out.

Wow. Good idea. Thank you.

No HTML allowed in subject

  
 
   
 

(will be screened)

You are viewing danwalsh