[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH] reinstate SELABEL_OPT_SUBSET optimization
|
From: |
Pádraig Brady |
|
Subject: |
Re: [PATCH] reinstate SELABEL_OPT_SUBSET optimization |
|
Date: |
Tue, 9 Feb 2021 22:19:32 +0000 |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:84.0) Gecko/20100101 Thunderbird/84.0 |
On 23/11/2020 22:15, Pádraig Brady wrote:
The attached patch reinstates the "prefix" optimization
from matchpathcon_init_prefix(), with the SELABEL_OPT_SUBSET equivalent.
The original code was added in:
https://git.sv.gnu.org/gitweb/?p=coreutils.git;a=commitdiff;h=v6.9.89-7-g56e3106e9
and suggests an 8x perf improvement.
However I'm not seeing any perf difference,
and a very quick scan of the selinux source
suggests the option is moot in the presence of compiled contexts.
I'd rather not add back this code if possible.
Could Red Hat folks indicate how useful it is currently,
and if non compiled policies are a practical consideration for install(1).
Feedback from SELinux folks, confirms that this patch
should no longer be necessary on modern systems.
The SELABEL_OPT_SUBSET option is now deprecated
according to selabel_file(5) man page:
"A non-null value for this option is interpreted as a path prefix, for
example "/etc". Only file context specifications with starting
with a first component that prefix matches the given prefix are loaded.
This may increase lookup performance, however any attempt to look up a
path not starting with the given prefix may fail. This optimization is
no longer required due to the use of file_contexts.bin files and is
deprecated."
cheers,
Pádraig
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- Re: [PATCH] reinstate SELABEL_OPT_SUBSET optimization,
Pádraig Brady <=