Re: How NSA access was built into Windows

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, 2007-01-19 at 20:10 -0500, Lyvim Xaphir wrote:
> On Sat, 2007-01-20 at 08:21 +1030, Tim wrote:
> > Tim:
> > >> For some people, having it running certainly causes a performance
> > >> loss. Whether that's down to SELinux, itself, or the logging, I've
> > >> not experimented with.
> > 
> > Lyvim Xaphir:
> > > Have you been able to get around the lag with selinux=0? 
> > 
> > Not that I want to be rude, but what other method do you think I used to
> > determine it was faster without SELinux?
> 
> 
> SElinux has three modes; enforcing (or "active"), warning (or
> "permissive") and "disabled". From what you wrote here I glean that
> you've only compared "active" with "disabled", the two modes you are
> familiar with.  My question was really directed at getting to know if
> you had touched on permissive mode with regards to performance.  I just
> "assumed" that you would know that, which was my error.

Permissive mode shouldn't be any different than enforcing mode wrt
performance, aside from possible differences in what audit messages get
generated and the resulting load on the audit system.

> I understand that "echo 0 > /selinux/enforce" switches an active
> "enforcing" system to permissive mode, and "echo 1 > /selinux/disable"
> is supposed to be equivalent to disabled entirely.  I was also thinking
> that it would be interesting to observe how SElinux behaves with regard
> to performance when the echo method is used to disable, as compared to
> selinux=0.  Just for the heck of it.  Yes I know they are supposed to be
> the same, but still experimental verification couldn't hurt.

selinux=0 is better since it can be detected by SELinux immediately
during initialization and preclude any registration of hooks or
allocation of memory by SELinux.  /selinux/disable has to retroactively
unregister the hooks.  Of course, in the end, both should yield the same
runtime performance since the hooks are no longer registered, but there
could be slight variances.

-- 
Stephen Smalley
National Security Agency

[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux