Received: by 2002:a25:683:0:0:0:0:0 with SMTP id 125csp252976ybg; Fri, 12 Jun 2020 00:05:39 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzohaas0lDx56wY1+Y43qEG+cDq0pRxFBTP9isWoYywDXEFvXEPutvl0tbohNmMHjrdeddz X-Received: by 2002:a05:6402:699:: with SMTP id f25mr10373452edy.281.1591945539386; Fri, 12 Jun 2020 00:05:39 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1591945539; cv=none; d=google.com; s=arc-20160816; b=bvn4dQk5ck8ayh6hApGd0zAAw8Jn80uxaBPDqDVY/rFRqWQYnBt+eOtWWMxdn6FBbO c5w3iEYCDSnO4RXdPtJJW4G858gcnFMM+m7S0/WZjnpB/ov78OrrEc9h5YPzvXQr1BHQ TpwIpWAJxmYU3B82vlKzrdUO8wFGVGm+PgmapMgx2azRJ2DHxkLiMYvptbmlpniEacJm 2dxDL6pBs+g+4r/o4La788CA6VPfvgF6S3RX2RR/zvOGoUj1FsGYyCOfy5eD1ebZ1WMD 71oTh9fsI8On+kAl4wlPIzbLaBT+B1eFEDC8ANw+Z4TXMR3HgnN8bWKOxf/J7C2+hMOk v/yw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:to:subject:dkim-signature; bh=PxILO0zFA/3ECeR2jEOpiAfS1WsZPICQO4MZEJnowa4=; b=UJDuf0wsx+yY1r2QLYln8aJiebX8PsGUwgPUBxMBqDCmgXZ4IkNMZQDGlI1Fys0dCJ 0r63FzJ43l2gglpBn8alYkxVV58yiM2VybVJNMfdwaTqzGlJP+cLqCcL4a72B6wedVmi 7C2OvD5bBL3iHXNWlBokcStIDlFFCmdUJVCISy+xP2eB0x/bFT1qOqVATq94qpi8Z3jc aqbPs4ND4yZqMQgamU87tshvQcAeEzwVWTtrfBM+Hnv15tnxxe00bFsE7LzOtyBJSGz1 T7Ij10p184QjupqQANrlr3Ic0a1Aemqh5ZAzrt6k7+6/jgC5Jv8zyuHn2miVic7uQWwQ yYgg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b="tynlaPL/"; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id q7si2936025ejm.503.2020.06.12.00.05.33; Fri, 12 Jun 2020 00:05:39 -0700 (PDT) Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b="tynlaPL/"; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726517AbgFLHFP (ORCPT + 15 others); Fri, 12 Jun 2020 03:05:15 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43910 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726287AbgFLHFN (ORCPT ); Fri, 12 Jun 2020 03:05:13 -0400 Received: from mail-lf1-x129.google.com (mail-lf1-x129.google.com [IPv6:2a00:1450:4864:20::129]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 42729C03E96F for ; Fri, 12 Jun 2020 00:05:12 -0700 (PDT) Received: by mail-lf1-x129.google.com with SMTP id h188so4902614lfd.7 for ; Fri, 12 Jun 2020 00:05:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language:content-transfer-encoding; bh=PxILO0zFA/3ECeR2jEOpiAfS1WsZPICQO4MZEJnowa4=; b=tynlaPL/zHZB82LC/5aaQR/6IQYzDVPZrv1+CbAD6tzdsmlOoV0sO5xfC33d3fS2jc nDi6L0CGEmKvvudtTGUGRCpI/0AMZMnOz4REPzEI59JQuRmYeiFB5/GaGa+tYG6P/L+x lD/9Ahi1tw0aGkNVXzjDOtjujJkukoBo4+EE/BzH9FDZx1IcwrqJZiqS8cw+ioTAFwmw B3Xzvacu9zS4I0xAKRR5IU5rp/f4CQIN2NZ6KT4fSgXTKrpq0gr+Wi38qaXAp2MO69Dv lI/QwCMIfLTl5KbGCTeprnGIRlm2Yh9q1H67zvOllwaOLgQLGYk+bVmBH8g4wU9QeXrK mdgg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=PxILO0zFA/3ECeR2jEOpiAfS1WsZPICQO4MZEJnowa4=; b=mO79SuQ7SBaiUDdlp08L6cSIxQZ0tOEFtDYnuQIdm6xcGvsxtNrHNbM6gx167LVn/0 2VZ+gOmbRHdjBptxopO81RsUMPADbuVXJvwN6Svuu1GAD8XKmONNzYnnT7+RrE/J55de RXfWncuJPaIGtnBwWUKMVxftG2Qh7NVHfwDXS8OCxyHAkD6JtSRjwPET/gXuJ/QX0alB +KBtCAydq3rqwSekrSVWtnpeFK3Wspi7eUX3xmYBkavDe4CbpPgsCwXk8OF1EKr1ywEU ljWtOFzaUWznBXF8fbk0kVrsdzaUIx31PmFPzqOcKUhisdNixv0NkZ/s+FdXfG1DpYay MDbA== X-Gm-Message-State: AOAM530Z9xsCLUQJE4ur3sBhVliaJwyCUnBr/Y3hKCsMVr0DPAWqYAS9 t2v82MMv7Pbof5C9ioNmrQJUB8dT X-Received: by 2002:a19:ac08:: with SMTP id g8mr170970lfc.207.1591945509938; Fri, 12 Jun 2020 00:05:09 -0700 (PDT) Received: from [192.168.1.38] (88-114-211-119.elisa-laajakaista.fi. [88.114.211.119]) by smtp.gmail.com with ESMTPSA id m11sm1517392lfl.70.2020.06.12.00.05.08 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 12 Jun 2020 00:05:09 -0700 (PDT) Subject: Re: Are we on the wrong track? To: Russell Coker , selinux-refpolicy@vger.kernel.org References: <3243717.6S2XvbbdUs@liv> From: Topi Miettinen Message-ID: Date: Fri, 12 Jun 2020 10:05:07 +0300 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.9.0 MIME-Version: 1.0 In-Reply-To: <3243717.6S2XvbbdUs@liv> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On 12.6.2020 3.03, Russell Coker wrote: > The reference policy is getting an increasing number of domains and types with > an O(N^2) level of complexity for writing policy and an O(N^2) size of the > binary policy. In 2012 the binary policy on my machines was 560k, now it's > over 2M. The policy can be shrunk by disabling unused modules, mine is 760k because only 166 modules are enabled out of 506. Some of the modules are for more or less obsolete software (e.g. hal, rlogin, uucp), or they may target proprietary software, which may be of unknown relevance today. Perhaps they should be disabled by default, removed from refpolicy or moved aside to directory "extra" or "Attic"? The package installer could also propose groups like "all", "most", "recommended", "distro-only" (disable all 3rd party stuff), "minimal" to enable/disable modules. -Topi