On Feb 25, 2009, at 4:26 PM, Eamon Walsh wrote:
Stephen Smalley wrote:
On Wed, 2009-02-25 at 15:50 -0500, Eric Paris wrote:
So the X people here at Red Hat complained the other day that they
have
to do an open, write, read, close very very often on /selinux/
create.
They'd like to cut the number of syscalls down. Even if the open
and
close are fast, they are still syscalls that still take time and
still
provide maximum limits on the operations per second they can do. (I
think ajax said he was estimating it at 10000/sec, but I don't
remember
the math or even if it was reasonable)
Wouldn't it be simpler and more efficient to just start caching the
results of security_compute_create in the AVC so that
avc_compute_create() will get most answers from the cache, just like
avc_has_perm()?
Yes, this is the way to go. All of the compute_create calls made from
the SELinux extension are done through the avc_compute_create() helper
function in libselinux and a cache layer could be added to that
function
to avoid the call to security_compute_create_raw() which calls the
filesystem, similar to how avc_has_perm_noaudit() works. This has
been
proposed in the past just not implemented yet.
Yup, We have a caching layer on top (you don't want it) from the CMW
days. HUGE performance win on the CMW.
joe
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
