mirror of
https://github.com/SELinuxProject/selinux
synced 2025-02-13 08:07:38 +00:00
acb2a9bede
Using the Fedora 20 targeted policy, running check_assertions requires an avtab with around 22 million elements. With the default limit of 4096 buckets, performance is abysmal: it takes more than an hour to populate the hash. Profiling shows most of that time under avtab_search_node. This patch increases the hash from 13 to 20 bits and to a maximum of 1048576 buckets. The time for check_assertions on that policy is reduced to about 3 minutes, which is enough to re-enable those checks as part of the build process. A full size table will allocate 4-8 MB of memory, up from 16-32 KB. In a cursory review, these tables are usually short-lived and only 1-3 are allocated together. Compared to the cost of entries in this table (up to 1 GB using the same policy), this isn't a significant increase. Signed-off-by: John Brooks <john.brooks@jolla.com> |
||
|---|---|---|
| checkpolicy | ||
| libselinux | ||
| libsemanage | ||
| libsepol | ||
| policycoreutils | ||
| scripts | ||
| sepolgen | ||
| .gitignore | ||
| Makefile | ||
| README | ||
To build and install everything under a private directory, run: make DESTDIR=~/obj install install-pywrap To install as the default system libraries and binaries (overwriting any previously installed ones - dangerous!), on x86_64, run: make LIBDIR=/usr/lib64 SHLIBDIR=/lib64 install install-pywrap relabel or on x86 (32-bit), run: make install install-pywrap relabel This may render your system unusable if the upstream SELinux userspace lacks library functions or other dependencies relied upon by your distribution. If it breaks, you get to keep both pieces.