diff options
| author | Joe MacDonald <joe@deserted.net> | 2014-05-07 14:52:07 -0400 |
|---|---|---|
| committer | Joe MacDonald <joe@deserted.net> | 2014-05-07 14:52:07 -0400 |
| commit | 8b23a11a4907cc095415f5d80d381706fe1e36a0 (patch) | |
| tree | c8dc022961800a19b09d2e8db1e2cde9f02e8c2f /recipes-security/selinux | |
| parent | bd3fb8a5cd30a91ff1f5df91fbc9182da3c5a53d (diff) | |
| download | meta-selinux-8b23a11a4907cc095415f5d80d381706fe1e36a0.tar.gz | |
libsemanage: disable expand-check on policy load
For small policy modules it's not necessary to walk the hierarchy on load.
On embedded devices that are low-powered or resource-constrained disabling
the hierarchy processing can make the difference between seconds and
(many) minutes of load time (or being able to load the policy at all).
Signed-off-by: Joe MacDonald <joe@deserted.net>
Diffstat (limited to 'recipes-security/selinux')
| -rw-r--r-- | recipes-security/selinux/libsemanage/libsemanage-disable-expand-check-on-policy-load.patch | 32 | ||||
| -rw-r--r-- | recipes-security/selinux/libsemanage_2.2.bb | 1 |
2 files changed, 33 insertions, 0 deletions
diff --git a/recipes-security/selinux/libsemanage/libsemanage-disable-expand-check-on-policy-load.patch b/recipes-security/selinux/libsemanage/libsemanage-disable-expand-check-on-policy-load.patch new file mode 100644 index 0000000..653cfbb --- /dev/null +++ b/recipes-security/selinux/libsemanage/libsemanage-disable-expand-check-on-policy-load.patch | |||
| @@ -0,0 +1,32 @@ | |||
| 1 | From b8c5b743c0e0435b1b89eb93c2b846bda7f132f5 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Joe MacDonald <joe@deserted.net> | ||
| 3 | Date: Wed, 7 May 2014 11:36:27 -0400 | ||
| 4 | Subject: [PATCH] libsemanage: disable expand-check on policy load | ||
| 5 | |||
| 6 | For small policy modules it's not necessary to walk the hierarchy on load. | ||
| 7 | On embedded devices that are low-powered or resource-constrained disabling | ||
| 8 | the hierarchy processing can make the difference between seconds and | ||
| 9 | (many) minutes of load time (or being able to load the policy at all). | ||
| 10 | |||
| 11 | Upstream-Status: Denied [upstream developers want to preserve the default | ||
| 12 | checking: http://marc.info/?l=selinux&m=121794804217721&w=2] | ||
| 13 | |||
| 14 | Signed-off-by: Joe MacDonald <joe@deserted.net> | ||
| 15 | --- | ||
| 16 | src/semanage.conf | 4 ++++ | ||
| 17 | 1 file changed, 4 insertions(+) | ||
| 18 | |||
| 19 | diff --git a/src/semanage.conf b/src/semanage.conf | ||
| 20 | index 24e1999..42050a7 100644 | ||
| 21 | --- a/src/semanage.conf | ||
| 22 | +++ b/src/semanage.conf | ||
| 23 | @@ -36,3 +36,6 @@ module-store = direct | ||
| 24 | # version is necessary. | ||
| 25 | #policy-version = 19 | ||
| 26 | |||
| 27 | +# Don't check the entire policy hierarchy when inserting / expanding a policy | ||
| 28 | +# module. This results in a significant speed-up in policy loading. | ||
| 29 | +expand-check=0 | ||
| 30 | -- | ||
| 31 | 1.7.10.4 | ||
| 32 | |||
diff --git a/recipes-security/selinux/libsemanage_2.2.bb b/recipes-security/selinux/libsemanage_2.2.bb index 93daf9f..716296f 100644 --- a/recipes-security/selinux/libsemanage_2.2.bb +++ b/recipes-security/selinux/libsemanage_2.2.bb | |||
| @@ -15,4 +15,5 @@ SRC_URI += "\ | |||
| 15 | file://libsemanage-drop-Wno-unused-but-set-variable.patch \ | 15 | file://libsemanage-drop-Wno-unused-but-set-variable.patch \ |
| 16 | file://libsemanage-define-FD_CLOEXEC-as-necessary.patch;striplevel=2 \ | 16 | file://libsemanage-define-FD_CLOEXEC-as-necessary.patch;striplevel=2 \ |
| 17 | file://libsemanage-allow-to-disable-audit-support.patch \ | 17 | file://libsemanage-allow-to-disable-audit-support.patch \ |
| 18 | file://libsemanage-disable-expand-check-on-policy-load.patch \ | ||
| 18 | " | 19 | " |