On Tue, 2005-11-29 at 11:48 -0500, Stephen Smalley wrote: > On Tue, 2005-11-29 at 08:20 -0800, Tom London wrote: > > There are reports in fedora-test about the 2.X policy slowing down > > udev. (Appears that folks are comparing booting with selinxux=1 with > > selinux=0). > > > > I have to admit that udev is running slower (targeted/enforcing). > > > > Any validity to this? Known issue? How to track down? > > First, check whether you have any avc denials associated with udev in > your audit.log. > > If not, then the slowdown is likely in matchpathcon(3), used to match a > path against the file_contexts configuration to obtain a security > context to apply to the device node. Could be a result of: > - differences in the file_contexts configurations between reference > policy and the original targeted policy (ordering, regex stem lengths, > regex complexity, number of entries, ...), > - the introduction of context canonicalization into matchpathcon(3) to > avoid problems with type aliases (in which case it shouldn't be > different between reference policy and the original targeted policy, > just between old libselinux/kernel versus newer libselinux/kernel > combination - you need both a recent libselinux and a recent kernel to > have the canonicalization support enabled). Random thought: As udev only manages devices, why not run file_contexts through a filter to extract /dev entries at policy build time, saving the result as a file_contexts.dev file, and have udev use matchpathcon_init() to select that file for its matching. That would then avoid having to process the entire file contexts configuration for udev. -- Stephen Smalley National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
