On Fri, 2012-08-10 at 20:46 +0200, Ole Kliemann wrote: > On Fri, Aug 10, 2012 at 02:08:26PM -0400, Stephen Smalley wrote: > > On Fri, 2012-08-10 at 19:00 +0200, Ole Kliemann wrote: > > > I don't have an auditd, not running mcstransd and also had > > > disabled restorecond. > > > > > > I take it, /sys/fs/selinux is equivalent to /selinux? > > > > Yes. /selinux moved to /sys/fs/selinux in more modern distro versions. > > > > > /sys/fs/selinux is empty on both my Ubuntu systems. > > > > > > /selinux/policyver in 26 as is the suffix of the policy file. > > > > > > Complete policy is attached. choke/src/support/choke.spt can be tuned > > > to suck even more. Do 'make load' in choke/src/ and you are good > > > to go. > > > > Ok, loaded. Now what exactly are you doing to test it? > > $ runcon choke_u:choke_r:choke_t ksh -l > $ id > > Then witness the lag. Not seeing it. > If you want hard numbers, use the attached script. First start > off in system_r:unconfined_r:unconfined_t. Run the script > somewhere, /tmp e.g. For proper average value computation you > need 'bc' installed, otherwise it's rounded but doesn't matter. Triggers a ton of error messages in dmesg from SELinux about unmapped security contexts? > Then switch to choke_u:choke_r:choke_t. Run the script here. If > it's inconclusive, start uncommenting additional attributes in > choke/src/support/choke.spt. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
