DevHeads.net

I am thinking of adding compression to libselinux

Basically looking at compressing the policy file to shrink SELinux footprint
in the minimal install/cloud image.

Currently the policy modules (pp files) are shipped with bzip compression but
the actually policy file.

But the /etc/selinux/targeted/policy/policy.29 is not compressed. systemd and
load_policy use libselinux to read in the policy file and load it into the
kernel, so since systemd currently uses libxz, I figured this would be the
best solution to add libxz support to libselinux.

ls -l /etc/selinux/targeted/policy/policy.29*
- -rw-r--r--. 1 root root 2703245 Sep 11 13:56
/etc/selinux/targeted/policy/policy.29
- -rw-r--r--. 1 root root 395072 Sep 11 13:56
/etc/selinux/targeted/policy/policy.29.xz

Worth the effort?

Should I use a different algorithm?

Advise on using libxz? Keep memory small?

Comments

Re: I am thinking of adding compression to libselinux

By Lennart Poettering at 09/12/2013 - 08:11

Well, you might buy smaller footprint with slower boot time, but I
figure without trying it there's no way to know that for sure.

(That said, our minimal image is a couple of 100mb still, iirc, so 2mb
is not thaaaat much.)

I think nowadays it's either gzip or xz, and everything else is not
interesting, as the others either are slower or compress worses, and
most importantly: libgz/liblzma are deps of the core OS anyway and
included in the minimal image anyway and are also already mapped into
memory, so come basically free.

Lennart

Re: I am thinking of adding compression to libselinux

By Matthew Miller at 09/12/2013 - 09:16

On Thu, Sep 12, 2013 at 02:11:04PM +0200, Lennart Poettering wrote:
It's basically down to the three big unsolved problems (kernel modules,
translations, docs) and then several dozen little things like this. If
getting really small is a priority we need to solve the big problems, but
chipping away at the little things helps too.

+1

Re: I am thinking of adding compression to libselinux

By Josh Boyer at 09/12/2013 - 09:19

On Thu, Sep 12, 2013 at 9:16 AM, Matthew Miller
< ... at fedoraproject dot org> wrote:
I'm still thinking about the kernel modules thing. I don't think it's
going to be an F20 change, but we might be able to do something for
F21 and beyond.

josh

Re: I am thinking of adding compression to libselinux

By Matthew Miller at 09/24/2013 - 11:47

On Thu, Sep 12, 2013 at 09:19:00AM -0400, Josh Boyer wrote:
Thanks Josh. This will be really helpful.

Re: I am thinking of adding compression to libselinux

By Richard W.M. Jones at 09/12/2013 - 15:07

On Thu, Sep 12, 2013 at 09:16:13AM -0400, Matthew Miller wrote:
Lots of distros are now gzip- or xz-compressing kernel modules.
That's the reason for the code I just posted elsewhere in this thread.

Rich.

Re: I am thinking of adding compression to libselinux

By Bill Nottingham at 09/12/2013 - 17:10

Richard W.M. Jones (<a href="mailto: ... at redhat dot com"> ... at redhat dot com</a>) said:
I believe the issue is not that the kernel modules are uncompressed, it's
that there are so many of them that are completely irrelevant in cloud/virt
scenarios.

Bill

Re: I am thinking of adding compression to libselinux

By drago01 at 09/12/2013 - 09:18

On Thu, Sep 12, 2013 at 3:16 PM, Matthew Miller
< ... at fedoraproject dot org> wrote:
How about compression at the file system level?

Re: I am thinking of adding compression to libselinux

By Matthew Miller at 09/12/2013 - 09:42

On Thu, Sep 12, 2013 at 03:18:58PM +0200, drago01 wrote:
Helps in some situations and not in others. (We also already compress the
qcow2 images we offer, so although xz is a little better this doesn't do
much for the network transfer sizes.)

Re: I am thinking of adding compression to libselinux

By drago01 at 09/24/2013 - 11:54

On Thu, Sep 12, 2013 at 3:42 PM, Matthew Miller
< ... at fedoraproject dot org> wrote:
Which are "the others" ? Having the file system compressed would gain
you savings without having each application having to implement a
custom compression schema.

Re: I am thinking of adding compression to libselinux

By Daniel J Walsh at 09/12/2013 - 08:16

On 09/12/2013 08:11 AM, Lennart Poettering wrote:

Re: I am thinking of adding compression to libselinux

By Lennart Poettering at 09/12/2013 - 08:25

Well, it could be that fewer disk accesses and stuff might actually
speed things up when you compress things, in which case doing the
compression is faster and smaller, in which case i see no point in
supporting anything but the compressed version...

Lennart

Re: I am thinking of adding compression to libselinux

By Richard W.M. Jones at 09/12/2013 - 15:05

On Thu, Sep 12, 2013 at 07:53:30AM -0400, Daniel J Walsh wrote:
This example code may be helpful. It loads a file that may be gzip or
lzma (xz) compressed into memory:

<a href="https://github.com/libguestfs/supermin/blob/master/helper/init.c#L284" title="https://github.com/libguestfs/supermin/blob/master/helper/init.c#L284">https://github.com/libguestfs/supermin/blob/master/helper/init.c#L284</a>

Rich.