diff options
author | Philip Tricca <flihp@twobit.us> | 2013-10-21 18:06:52 +0000 |
---|---|---|
committer | Mark Hatle <mark.hatle@windriver.com> | 2014-01-10 14:52:11 -0600 |
commit | 765c66a23e13543bda01683000fdaaaf81c83129 (patch) | |
tree | bde8b6a4fef0082ed94716f42280e4783e99d391 | |
parent | baa3df0b71f970b9d8f60c72e5f48f7de5673f8c (diff) | |
download | meta-selinux-765c66a23e13543bda01683000fdaaaf81c83129.tar.gz |
bzip SELinux policy modules in ${datadir}
The 'semodule' utility can operate on compresed modules so the only
cost of this change is a slower module load time when invoking
'semodule -i' on a running system (increased CPU load due to bzip2).
That said my tests show more than 100M reduction in ext3 image size
of core-image-selinux. This last metric is a bit skewed as the image
includes two policies. Still, a reduction in the size of the refpolicy
package by 1/2 is significant.
(From meta-selinux master rev: d549fef3f4c41140b8f74263724deb75c9b5908e)
Signed-off-by: Philip Tricca <flihp@twobit.us>
Signed-off-by: Joe MacDonald <joe@deserted.net>
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
-rw-r--r-- | recipes-security/refpolicy/refpolicy_common.inc | 9 |
1 files changed, 5 insertions, 4 deletions
diff --git a/recipes-security/refpolicy/refpolicy_common.inc b/recipes-security/refpolicy/refpolicy_common.inc index 2ee42e1..b46903f 100644 --- a/recipes-security/refpolicy/refpolicy_common.inc +++ b/recipes-security/refpolicy/refpolicy_common.inc | |||
@@ -12,7 +12,7 @@ SRC_URI += "file://customizable_types \ | |||
12 | S = "${WORKDIR}/refpolicy" | 12 | S = "${WORKDIR}/refpolicy" |
13 | 13 | ||
14 | FILES_${PN} = "${sysconfdir}/selinux/${POLICY_NAME}/ \ | 14 | FILES_${PN} = "${sysconfdir}/selinux/${POLICY_NAME}/ \ |
15 | ${datadir}/selinux/${POLICY_NAME}/*.pp" | 15 | ${datadir}/selinux/${POLICY_NAME}/*.pp.bz2" |
16 | FILES_${PN}-dev =+ "${datadir}/selinux/${POLICY_NAME}/include/" | 16 | FILES_${PN}-dev =+ "${datadir}/selinux/${POLICY_NAME}/include/" |
17 | 17 | ||
18 | DEPENDS += "checkpolicy-native policycoreutils-native m4-native" | 18 | DEPENDS += "checkpolicy-native policycoreutils-native m4-native" |
@@ -79,11 +79,12 @@ EOF | |||
79 | mkdir -p ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/modules | 79 | mkdir -p ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/modules |
80 | mkdir -p ${D}${sysconfdir}/selinux/${POLICY_NAME}/contexts/files | 80 | mkdir -p ${D}${sysconfdir}/selinux/${POLICY_NAME}/contexts/files |
81 | touch ${D}${sysconfdir}/selinux/${POLICY_NAME}/contexts/files/file_contexts.local | 81 | touch ${D}${sysconfdir}/selinux/${POLICY_NAME}/contexts/files/file_contexts.local |
82 | bzip2 -c ${D}${datadir}/selinux/${POLICY_NAME}/base.pp > \ | ||
83 | ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/base.pp | ||
84 | for i in ${D}${datadir}/selinux/${POLICY_NAME}/*.pp; do | 82 | for i in ${D}${datadir}/selinux/${POLICY_NAME}/*.pp; do |
83 | bzip2 $i | ||
85 | if [ "`basename $i`" != "base.pp" ]; then | 84 | if [ "`basename $i`" != "base.pp" ]; then |
86 | bzip2 -c $i > ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/modules/`basename $i`; | 85 | cp ${i}.bz2 ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/modules/`basename $i` |
86 | else | ||
87 | cp ${i}.bz2 ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/`basename $i` | ||
87 | fi | 88 | fi |
88 | done | 89 | done |
89 | 90 | ||