> -----Original Message----- > From: fedora-devel-list-bounces@xxxxxxxxxx [mailto:fedora-devel-list- > bounces@xxxxxxxxxx] On Behalf Of Paul A Houle > Sent: Thursday, June 23, 2005 11:08 AM > To: Development discussions related to Fedora Core > Subject: Re: FC4 kernel performance > > > > > >I have doubts about such play machines except as a learning tool, but if > >you are interested, Russell Coker has a SELinux play machine available > >with information at: > >http://www.coker.com.au/selinux/play.html > > > > > Yeah, I thought about this a lot last night, and realized that > even if the SELinux implementation in the kernel was perfect, > everything hangs on the userspace implementation. Not certain what you mean here - certainly there are userspace applications that must be correct (any process that authenticates a user and sets their initial context for example) but there are relatively few. Can you explain this a bit more. > There's a certain > emotional reaction that people get from hearing that you can log in as > 'root' and it's harmless, but the real threats are attacks on real > systems that do real work, not straw men that were set up to be (or not > be) knocked down. > Certainly - these machines are just demonstrating that the mechanism works and is flexible. SELinux can thwart these real attacks if properly configured and the applications are appropriately architected. The work now is, I think, utilizing that capability. Karl --- Karl MacMillan Tresys Technology http://www.tresys.com (410) 290-1411 ext 134 > Two more concerns came up for me with SELinux: > > (i) scalability on SMP -- I can attest that this is a nice machine: > > http://www.sun.com/servers/entry/v40z/index.jsp > > running four single-core processors: this four-socket machine upgrades > to an eight-way machine with dual core processors -- this really changes > the economics of SMP and is going to push the 'sweet spot' from 2-way > towards 4-way and 8-way. System-on-chip is the major path for > performance increases in the future, and we might even have 16-way > desktop systems in a deade. Linux 2.6 is ready, but is SELinux? > > (ii) reliability -- Linux 2.6 is a big advance over Linux 2.4, but we > had a crash last night. Unlike our struggles with 2.4, we found that > the problem had already been reported and fixed in a recent kernel > version. It's hard to fix bugs that aren't easily repeatable, and the > longer code paths get, the worse things get. > > -- > fedora-devel-list mailing list > fedora-devel-list@xxxxxxxxxx > http://www.redhat.com/mailman/listinfo/fedora-devel-list -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-devel-list
