On Fri, Aug 10, 2012 at 02:55:30PM -0400, Stephen Smalley wrote: > On Fri, 2012-08-10 at 20:46 +0200, Ole Kliemann wrote: > > On Fri, Aug 10, 2012 at 02:08:26PM -0400, Stephen Smalley wrote: > > > On Fri, 2012-08-10 at 19:00 +0200, Ole Kliemann wrote: > > > > I don't have an auditd, not running mcstransd and also had > > > > disabled restorecond. > > > > > > > > I take it, /sys/fs/selinux is equivalent to /selinux? > > > > > > Yes. /selinux moved to /sys/fs/selinux in more modern distro versions. > > > > > > > /sys/fs/selinux is empty on both my Ubuntu systems. > > > > > > > > /selinux/policyver in 26 as is the suffix of the policy file. > > > > > > > > Complete policy is attached. choke/src/support/choke.spt can be tuned > > > > to suck even more. Do 'make load' in choke/src/ and you are good > > > > to go. > > > > > > Ok, loaded. Now what exactly are you doing to test it? > > > > $ runcon choke_u:choke_r:choke_t ksh -l > > $ id > > > > Then witness the lag. > > Not seeing it. > > > If you want hard numbers, use the attached script. First start > > off in system_r:unconfined_r:unconfined_t. Run the script > > somewhere, /tmp e.g. For proper average value computation you > > need 'bc' installed, otherwise it's rounded but doesn't matter. > > Triggers a ton of error messages in dmesg from SELinux about unmapped > security contexts? > > > Then switch to choke_u:choke_r:choke_t. Run the script here. If > > it's inconclusive, start uncommenting additional attributes in > > choke/src/support/choke.spt. Sorry, my mistake, got confused. Here's the right stuff now. The script is in choke/test/
Attachment:
choke.tar.bz2
Description: Binary data
Attachment:
signature.asc
Description: Digital signature
