January 26th, 2009

The incredible shrinking SELinux footprint

In my last blog I talked about how we have shrunk the memory used by setroubleshoot.  

Today I am going to talk about another project I have been working on:

Adding compression to SELinux policy modules

What happens when you install the SELinux policy package? 

In Fedora 10, the selinux-policy-targeted rpm package contains 159 policy modules, uncompressed these take up 39 Megabytes of disk space.  These modules get installed into the /usr/share/selinux/targeted directory.  The selinux-policy-targeted rpm post install script executes the semodule command on the SELinux policy modules which update the policy on disk.  After the the semodule command is run, the /usr/share/selinux/targeted files are never used again. rpm requires these files remain on disk or commands like rpm -V would fail. 

The semodule command copies the SELinux policy modules to the policy store, in /etc/selinux/targeted/modules/active directory and its subdirectories.  We now have 78 Megabytes of disk space being used.  To make matters worse, whenever semanage or semodule commands are executed, they create a sandbox environment which copies the entire contents of the "active" directory to a "previous" directory.  This allows us to restore the original environment if the commands fail.  We end up with a third copy of the policy files for a total of  117 Megabytes.    On desktop systems/laptops this is not a big problem, but using SELinux on smaller footprint machines, like liveusb sticks, OLPC, ovirt, or other small devices like cell phones, it is a huge problem.

In F10 I simply added bzip2 compression to the policy packages in the rpm.  This shrunk the size required to store the policy modules to 3 Megabytes.  But the post install still needs to uncompressed the files before installing them.   The files in the policy store and sandbox are not compressed.  The selinux-policy rpm still requires > 120 Megabytes to do the selinux-policy install.  On a normal running system we are using 36 Megabytes less space.

In F11/Rawhide, I added bzip compression directly into the SELinux policy tools,   This allows us to install the compressed policy modules directly from /usr/share/selinux/targeted and the /etc/selinux/targeted/modules/active directory contains compressed modules.  I also switched the library to use hard links instead of copying the policy packages when creating the sandbox, it only creates new files when they differ.  These changes allows the semanage/semodule commands to  require around 10 Megabytes of disk space on the system.  Giving us a 10:1 improvement in disk utilization!