On Tue, 2005-11-29 at 08:20 -0800, Tom London wrote: > There are reports in fedora-test about the 2.X policy slowing down > udev. (Appears that folks are comparing booting with selinxux=1 with > selinux=0). > > I have to admit that udev is running slower (targeted/enforcing). > > Any validity to this? Known issue? How to track down? First, check whether you have any avc denials associated with udev in your audit.log. If not, then the slowdown is likely in matchpathcon(3), used to match a path against the file_contexts configuration to obtain a security context to apply to the device node. Could be a result of: - differences in the file_contexts configurations between reference policy and the original targeted policy (ordering, regex stem lengths, regex complexity, number of entries, ...), - the introduction of context canonicalization into matchpathcon(3) to avoid problems with type aliases (in which case it shouldn't be different between reference policy and the original targeted policy, just between old libselinux/kernel versus newer libselinux/kernel combination - you need both a recent libselinux and a recent kernel to have the canonicalization support enabled). -- Stephen Smalley National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
