CaROS/meta-selinux
3
0
Fork 0
mirror of git://git.yoctoproject.org/meta-selinux synced 2026-01-01 13:58:04 +00:00
Code Issues Packages Projects Releases Wiki Activity
4273eb6d6e
meta-selinux/recipes-security/selinux/libsemanage/libsemanage-disable-expand-check-on-policy-load.patch
Yi Zhao 4273eb6d6e selinux: upgrade 3.7 -> 3.8 
ChangeLog:
https://github.com/SELinuxProject/selinux/releases/tag/3.8

* libsemanage: Preserve file context and ownership in policy store
* libselinux: deprecate security_disable(3)
* libsepol: Support nlmsg extended permissions
* libsepol: Add policy capability netlink_xperm
* libsemanage: Optionally allow duplicate declarations
* policycoreutils: introduce unsetfiles
* libselinux/utils: introduce selabel_compare
* improved selabel_lookup performance
* libselinux: support parallel usage of selabel_lookup(3)
* libsepol: add support for xperms in conditional policies
* Improved man pages
* Code improvements and bug fixes
* Always build for LFS mode on 32-bit archs.
* libsemanage: Mute error messages from selinux_restorecon introduced in
  3.8-rc1
* Regex spec ordering is restored to pre 3.8-rc1
* Binary fcontext files format changed, files using old format are ignored
* Code improvements and bug fixes

License-Update: White space cleanup for libsemanage/LICENSE

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe.macdonald@siemens.com>
2025-03-07 14:34:45 -05:00

34 lines
1.2 KiB
Diff
Raw Blame History

From af4948d5a1cfb41338a7539dcd80735b5c250e58 Mon Sep 17 00:00:00 2001
From: Joe MacDonald <joe@deserted.net>
Date: Wed, 7 May 2014 11:36:27 -0400
Subject: [PATCH] libsemanage: disable expand-check on policy load
For small policy modules it's not necessary to walk the hierarchy on load.
On embedded devices that are low-powered or resource-constrained disabling
the hierarchy processing can make the difference between seconds and
(many) minutes of load time (or being able to load the policy at all).
Upstream-Status: Denied [upstream developers want to preserve the default
checking: http://marc.info/?l=selinux&m=121794804217721&w=2]
Signed-off-by: Joe MacDonald <joe@deserted.net>
---
src/semanage.conf | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/src/semanage.conf b/src/semanage.conf
index 98d769b..708fa8c 100644
--- a/src/semanage.conf
+++ b/src/semanage.conf
@@ -40,3 +40,7 @@ module-store = direct
# By default, semanage will generate policies for the SELinux target.
# To build policies for Xen, uncomment the following line.
#target-platform = xen
+
+# Don't check the entire policy hierarchy when inserting / expanding a policy
+# module. This results in a significant speed-up in policy loading.
+expand-check=0
--
2.25.1
Reference in New Issue View Git Blame Copy Permalink