On Fri, Aug 10, 2012 at 02:08:26PM -0400, Stephen Smalley wrote: > On Fri, 2012-08-10 at 19:00 +0200, Ole Kliemann wrote: > > I don't have an auditd, not running mcstransd and also had > > disabled restorecond. > > > > I take it, /sys/fs/selinux is equivalent to /selinux? > > Yes. /selinux moved to /sys/fs/selinux in more modern distro versions. > > > /sys/fs/selinux is empty on both my Ubuntu systems. > > > > /selinux/policyver in 26 as is the suffix of the policy file. > > > > Complete policy is attached. choke/src/support/choke.spt can be tuned > > to suck even more. Do 'make load' in choke/src/ and you are good > > to go. > > Ok, loaded. Now what exactly are you doing to test it? $ runcon choke_u:choke_r:choke_t ksh -l $ id Then witness the lag. If you want hard numbers, use the attached script. First start off in system_r:unconfined_r:unconfined_t. Run the script somewhere, /tmp e.g. For proper average value computation you need 'bc' installed, otherwise it's rounded but doesn't matter. Then switch to choke_u:choke_r:choke_t. Run the script here. If it's inconclusive, start uncommenting additional attributes in choke/src/support/choke.spt.
Attachment:
x.sh
Description: Bourne shell script
Attachment:
signature.asc
Description: Digital signature
