On Tue, 2005-12-06 at 10:45 -0500, Stephen Smalley wrote: > Hmmm...I'm still not sure I understand why there has been a recent > slowdown, as I wouldn't have expected either reference policy or the > matchpathcon canonicalization to have added that much overhead > (particularly as we were already validating the contexts). From your > numbers above, it seems that the canonicalization is adding significant > overhead, since the canonicalization is performed lazily in libselinux > 1.27.28, but we still have major overhead remaining. > > How exactly are you timing the startup time here, e.g. are you just > inserting a time command prior to the /sbin/start_udev call in > rc.sysinit or are you timing the entire sequence including the > Initializing hardware setup? > > udev could/should be changed to call matchpathcon_init_prefix(NULL, > "/dev") once at startup prior to any matchpathcon() calls to avoid the > overhead of processing the entire file_contexts configuration. But I'd > like to get more information on where that time is being spent currently > as well, so I'd like to know exactly how you are measuring so I can > reproduce it and then try to profile it. Part of the slowdown could also be from libsetrans (both on translating contexts prior to storing them in the spec array and for the translation that occurs upon the security_canonicalize_context calls). Possibly we should make the context translation lazy as well, as with the canonicalization. But the largest savings are likely to come from using matchpathcon_init_prefix() and avoiding processing of many file_contexts entries altogether. -- Stephen Smalley National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list