On 11/01/2013 01:00 PM, Carlos O'Donell wrote: > On 11/01/2013 12:00 PM, Stephen Smalley wrote: >> But selinux_check_access() is IMHO a better way to go for any new code >> unless it is so performance-critical that the context, class, and perm >> lookups per check are prohibitive. > > The code in question is from glibc's nscd and used when determining if > the user should or should not have access to specific cache results, and > therefore it is performance sensitive. The faster we can determine if > access is allowed the faster we can return a result to a client that > needs an answer about a particular credential. I'm happing doing the > translations at startup when the daemon is initializing, but I'm not > happy to do them at every request arriving to the daemon. Unless someone > says this needs to be fully dynamic I'd like to avoid any costs during > the request handling phase. I doubt the overhead of the SID/class/perm lookup compares to the IPC overhead, but I can't say that I've measured it. But feel free to use whichever interface you prefer. -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
