-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 08/23/2011 10:58 PM, Kevin Kofler wrote: > Steve Grubb wrote: >> I think it was mentioned before that systemd is consuming a lot >> of memory. > > The amount quoted was actually ridiculously small considering both > today's memory sizes and the fact that systemd is a singleton > process. > > Plus, it can be reduced even further (by something like 90%!) by > disabling SELinux. It's your security stuff which is consuming a > lot of memory. > > Kevin Kofler > Well not wanting to get into this war, this is a little bit of the chicken and the egg. The reason systemd has SELinux memory usage is because it wants to take on the functions that used to be done by other processes, like udev labeling of /dev. Impersonating processes requires SELinux labeling, while listening on sockets. Creating of content on tmpfs /run requires SELinux Labeling. So saying systemd has grown because of SELinux is stretching the truth a little. With that said, I like some of the features that systemd is bringing to the table, from a security point of view. Setting up CGroups properly. Always starting services with a clean environment, IE the parent of a service is init rather then some random admin that happened to restart it. SELinux has tons of AVC's over the years caused by an admin sitting in a random directory like /home/dwalsh or /root and starting a service. Lots of bugs have had to be fixed by services using the environment of the admin. Allowing us to potentially eliminate all services from ever talking to a tty. I have railed over the years about random root running daemons using /tmp, and I think systemd using namespacing to change a services view of /tmp is a good idea. I think using namespacing to eliminate the network is also a good idea, especially when combined with SELinux. One think we need to code up is some additional knowledge into systemd to say which Types can manage which services. For example we want to say NetworkManager_t can start/stop ntpd but not start/stop the apache server. Similarly we want to have a confined admin type webadm_t that can only start and stop the apache service. In Fedora 14/15 we do this by labeling the initrc script. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk5U9vwACgkQrlYvE4MpobOuzgCgnyx3tceuOGuu5xpZNmMVzjaW m28An1tXwchUnjdBASir+QwXijPa2eam =w/w6 -----END PGP SIGNATURE----- -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel