libsemanage: Save linked policy, skip re-link when possible
In commit b61922f727d5643265e27654a2d626bcae5d894c ("libsemanage: revert
"Skip policy module re-link when only setting booleans"), we reverted
an optimization for setting booleans since it produced incorrect behavior.
This incorrect behavior was due to operating on the policy with local
changes already merged. However, reverting this change leaves us with
undesirable overhead for setsebool -P. We also have long wanted
to support the same optimization for making other changes that do
not truly require module re-compilation/re-linking.
If we save the linked policy prior to merging local changes, we
can skip re-linking the policy modules in most cases, thereby
significantly improvement the performance and memory overhead of
semanage and setsebool -P commands. Save the linked policy in the
policy sandbox and use it when we are not making a change that requires
recompilation of the CIL modules. With this change, a re-link
is not performed when setting booleans or when adding, deleting, or
modifying port, node, interface, user, login (seusers) or fcontext
mappings. We save linked versions of the kernel policy, seusers,
and users_extra produced from the CIL modules before any local
changes are merged. This has an associated storage cost, primarily
storing an extra copy of the kernel policy file.
Before:
$ time setsebool -P zebra_write_config=1
real 0m8.714s
user 0m7.937s
sys 0m0.748s
After:
$ time setsebool -P zebra_write_config=1
real 0m1.070s
user 0m0.343s
sys 0m0.703s
Resolves: https://github.com/SELinuxProject/selinux/issues/50
Reported-by: Carlos Rodrigues <cefrodrigues@gmail.com>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
3 files changed