>> I have measured a performance to check hierarchy/neverallow constraint
>> with patched libsepol as a trial. Unfortunatelly, about 80% of CPU time
>> is consumed by check_assertions() for neverallows.
>>
>> [root@saba ~]# time -p semodule -r kaigai
>> hierarchy_check_constraints: 37.32 [s]
>> check_assertions: 139.05 [s]
>> real 205.32
>> user 198.06
>> sys 3.75
>>
>> These checks at policy load time gives us negative effect in system
>> bootup time, unless remarkable improvements. So, I prefer lazy dynamic
>> checking approach.
>>
>> (*) System bootup time is one of the major topics for embedded Linux folks.
>
> Ok. I'd be interested in seeing that libsepol patch nonetheless, and we
> may want to retain full checking there as an option for validation at
> policy build time (via make validate) while introducing lazy dynamic
> checking in the kernel.
I tries to run semodule with patched libsepol to deliver NEVERALLOW rules
into kernel space, however, it cost was extremely expensive and unacceptable.
Some of NEVERALLOWs covers wide range of types, like:
neverallow ~{ domain unlabeled_t } *:process *;
It is finally translated massive amount of avtab structure, and it makes
grow the size of security policy. In my estimation, the above single NEVERALLOW
constraint makes about 4,000,000 of avtab and it will consume 48Mb of additional
memory and storage for nonsense purpose in most cases.
So, I reconsidered the feature to check NEVERALLOW should not be ported into
kernelspace.
(*) I killed semodule due to its long processes...
[root@saba libsepol]# ls -lh /etc/selinux/targeted/modules/tmp/policy.kern
-rw-r--r-- 1 root root 29M 2008-08-01 15:08 /etc/selinux/targeted/modules/tmp/policy.kern
^^^
[root@saba libsepol]# ls -lh /etc/selinux/targeted/policy/
total 11M
-rw-r--r-- 1 root root 3.4M 2008-04-03 15:19 policy.22
-rw-r--r-- 1 root root 3.7M 2008-07-22 19:27 policy.23
-rw-r--r-- 1 root root 3.7M 2008-08-01 13:45 policy.24
Thanks,
--
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@xxxxxxxxxxxxx>
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
