On Thu, 2005-06-23 at 11:08 -0400, Paul A Houle wrote: > Two more concerns came up for me with SELinux: > > (i) scalability on SMP -- I can attest that this is a nice machine: > > http://www.sun.com/servers/entry/v40z/index.jsp > > running four single-core processors: this four-socket machine upgrades > to an eight-way machine with dual core processors -- this really changes > the economics of SMP and is going to push the 'sweet spot' from 2-way > towards 4-way and 8-way. System-on-chip is the major path for > performance increases in the future, and we might even have 16-way > desktop systems in a deade. Linux 2.6 is ready, but is SELinux? I think so. We used to have a major scalability bottleneck in our access vector cache (AVC) due to use of a global spinlock, but KaiGai Kohei of NEC converted it to RCU, and demonstrated good scalability on a 32-way system, and IBM later reported that those patches also addressed scalability problems they were seeing. There are still known areas where improvement is desirable in baseline performance and network scalability of SELinux, but the AVC was the largest obstacle to scalability. > (ii) reliability -- Linux 2.6 is a big advance over Linux 2.4, but we > had a crash last night. Unlike our struggles with 2.4, we found that > the problem had already been reported and fixed in a recent kernel > version. It's hard to fix bugs that aren't easily repeatable, and the > longer code paths get, the worse things get. Getting SELinux into the mainline kernel and getting it enabled by default in Fedora and RHEL was a big step forward here. We've already seen significant maturing of the code as a result. A set of selinux testcases was also recently added to the LTP, and IBM has been working on expanding that set of testcases. So I think we are on the right track, even though much work remains. -- Stephen Smalley National Security Agency -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-devel-list
