From 8b23a11a4907cc095415f5d80d381706fe1e36a0 Mon Sep 17 00:00:00 2001 From: Joe MacDonald Date: Wed, 7 May 2014 14:52:07 -0400 Subject: libsemanage: disable expand-check on policy load For small policy modules it's not necessary to walk the hierarchy on load. On embedded devices that are low-powered or resource-constrained disabling the hierarchy processing can make the difference between seconds and (many) minutes of load time (or being able to load the policy at all). Signed-off-by: Joe MacDonald --- ...anage-disable-expand-check-on-policy-load.patch | 32 ++++++++++++++++++++++ recipes-security/selinux/libsemanage_2.2.bb | 1 + 2 files changed, 33 insertions(+) create mode 100644 recipes-security/selinux/libsemanage/libsemanage-disable-expand-check-on-policy-load.patch (limited to 'recipes-security/selinux') diff --git a/recipes-security/selinux/libsemanage/libsemanage-disable-expand-check-on-policy-load.patch b/recipes-security/selinux/libsemanage/libsemanage-disable-expand-check-on-policy-load.patch new file mode 100644 index 0000000..653cfbb --- /dev/null +++ b/recipes-security/selinux/libsemanage/libsemanage-disable-expand-check-on-policy-load.patch @@ -0,0 +1,32 @@ +From b8c5b743c0e0435b1b89eb93c2b846bda7f132f5 Mon Sep 17 00:00:00 2001 +From: Joe MacDonald +Date: Wed, 7 May 2014 11:36:27 -0400 +Subject: [PATCH] libsemanage: disable expand-check on policy load + +For small policy modules it's not necessary to walk the hierarchy on load. +On embedded devices that are low-powered or resource-constrained disabling +the hierarchy processing can make the difference between seconds and +(many) minutes of load time (or being able to load the policy at all). + +Upstream-Status: Denied [upstream developers want to preserve the default + checking: http://marc.info/?l=selinux&m=121794804217721&w=2] + +Signed-off-by: Joe MacDonald +--- + src/semanage.conf | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/semanage.conf b/src/semanage.conf +index 24e1999..42050a7 100644 +--- a/src/semanage.conf ++++ b/src/semanage.conf +@@ -36,3 +36,6 @@ module-store = direct + # version is necessary. + #policy-version = 19 + ++# Don't check the entire policy hierarchy when inserting / expanding a policy ++# module. This results in a significant speed-up in policy loading. ++expand-check=0 +-- +1.7.10.4 + diff --git a/recipes-security/selinux/libsemanage_2.2.bb b/recipes-security/selinux/libsemanage_2.2.bb index 93daf9f..716296f 100644 --- a/recipes-security/selinux/libsemanage_2.2.bb +++ b/recipes-security/selinux/libsemanage_2.2.bb @@ -15,4 +15,5 @@ SRC_URI += "\ file://libsemanage-drop-Wno-unused-but-set-variable.patch \ file://libsemanage-define-FD_CLOEXEC-as-necessary.patch;striplevel=2 \ file://libsemanage-allow-to-disable-audit-support.patch \ + file://libsemanage-disable-expand-check-on-policy-load.patch \ " -- cgit v1.2.3-54-g00ecf