Remmolt G. Zwartsenberg wrote: > Hi KaiGai, > >>From a mediation and billing perspective, i agree with you. > The Network Management part of the OSS system uses URL's that resolve to > high-latency authentication, that need no encryption in the columns. > > In VOIP tunnels this can lead to congestion, ie in 2-way Irridium > conversations. Erroneous frame dragging? Sorry, I'm not sure what do you want to discuss. At the previous message, I introduced a workload inside of the PostgreSQL which tend to lookup userspace avc with same subject context many times. It is not a workload between the client application and RDBMS. Thanks, > Kind regards, > > ~remmolt > > Philips NEC Business Commumication Systems NL > > remmolt@xxxxxxxxxxxxxxx > > -----Original Message----- > From: owner-selinux@xxxxxxxxxxxxx [mailto:owner-selinux@xxxxxxxxxxxxx] On > Behalf Of KaiGai Kohei > Sent: donderdag 3 september 2009 4:07 > To: Stephen Smalley > Cc: Joshua Brindle; Eamon Walsh; SELinux List; KaiGai Kohei > Subject: Re: [PATCH] libselinux: disable refcounting in the userspace AVC > > Stephen Smalley wrote: >>> IIRC sepostgres reimplemented its sidtab and avc because our current one >>> wasn't very friendly to multithread/multiprocess object managers. >> Looking back, I think KaiGai's reasons were: >> - he didn't see benefit to the indirection of the AVC SID table since >> PostgreSQL has to directly manage security contexts for persistent >> labeling, > > Yes, it uses object identifier which is associated with a certain > text representation of security context as a key to lookup its > userspace avc. > >> - he wanted to enable sharing of the AVC (via shared memory) and the >> netlink thread among all PostgreSQL instances (processes, not just >> threads). > > The pgsql-hackers didn't like an idea to deploy userspace avc on the > shared memory segment, so I had to change its implementation. > Now, it put only a flag to notice avc invalidation for all the server > processes. A background netlink process updates the flag on the shared > memory segment, then other server processed voluntarily invalidates its > userspace avc deployed on the process local memory prior to looking up. > > In addition, characteristic of database workload enables to apply more > optimization in the performance perspective. > The subject security context of the userspace avc deployed on the process > local memory is unchanged (except for trusted procedure execution), > so SE-PostgreSQL categorizes all the avc entries by subject context to > omit comparison of subject context. > (Note that subject context is not database object, so it does not have > object identifer. It requires strcmp() to compare subject context.) > > Because the database workload (with row level security) needs to lookup > the avc entry massive times in a short time, this kind of optimization > is very important. At the past, I tried to compare subject context to > lookup avc entry, then it recorded 50% of transaction-per-second toward > the vanilla PostgreSQL. :( > > Thus, now, it is not necessary to consider use cases in SE-PostgreSQL > to update userspace avc stuff in libselinux. > > Thanks, -- OSS Platform Development Division, NEC KaiGai Kohei <kaigai@xxxxxxxxxxxxx> -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
