On Thu, 26 May 2005, Colin Walters wrote: > Ok, this is a more reasonable argument. Does the strict policy really > require 17M of kernel memory (that's nonpageable?). It's a lot, not sure if it's quite 17, ISTR about 12 (on 32-bit). > Stephen/James, is there a way SELinux memory usage could be reduced for > relatively simple policies like this? Besides older machines, once Xen > is widely deployed it will be valuable to reduce kernel memory usage so > that more virtual instances can be deployed on the same machine. Binary policy could help, although the underlying strategy may need to be revised. I'm sure it's possible; the rules look highly compressable (bzip can compress the binary policy by an order of magnitude), and the typical active set of rules is usually very small, perhaps 60 or so for a typical workload, if that. So, we could look at using a compressed policy database, which would slow down AVC misses, which are typically infrequent. Even if that was a problem, we could provide another cache level between the compressed security database and the AVC. Or something. - James -- James Morris <jmorris@private>
This archive was generated by hypermail 2.1.3 : Wed May 25 2005 - 23:37:23 PDT