On 08/25/11 22:22, Eric Paris wrote:
> On 08/25/2011 09:17 PM, Harry Ciao wrote:
>> Daniel J Walsh 写道:
>>> The Fedora policy has removed all calls that do stuff like
>>>
>>> allow XYZ_t { file_type -shadow_t }:file read;
>>>
>>> Which generates hundreds/thousands of rules when run though the M4
>>> Macro, since it writes a rule for each file_type except the shadow_t.
>>>  Anywhere in policy that we use this construct has to be reworked and
>>> this shrunk the policy by 90%.  Your enhancement just adds another 5%
>>> reduction after this change.  I sent a patch to refpolicy yesterday to
>>> fix the coreutils interfaces that we doing something like this.
>>>
>>>
>>>   
>> I don't know much about Fedora policy, but for upstream refpolicy and
>> toolchain my patch would contribute 45% size reduction for raw policy
>> and before I sent my patchset out for review I had not seen your patch.
>>
>> Anyway, it would be fantastic to have your patch to further drastically
>> reduce the raw policy size, the whole community would benefit from each
>> single contributor's effort like this.
> 
> Agreed.  I'm excited about both approaches (reducing the policy size by
> using attributes and eliminating needless unused portions of booleans).
>  I'm glad to see Dan pushing his changes.  Once this patch set is
> finished I'll be very happy to see a further 5-6% reduction in the
> policy size of Fedora!

I merged Dan's patch into Refpolicy.  With all modules on, and using a
monolithic build for easy comparison, it reduced the policy.26 from
5.9MB to 4.5MB, a 23.7% reduction.  Its too bad we don't have an
optimizing compiler that can do these optimizations automatically.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.