On 1/31/20 2:08 PM, Wenhui Zhang wrote:
Hi, Smalley:
DAC, MAC and SELinux's performance data is performed, and it seems like
our conclusion is consistent with our previous evaluation.
Please see here (configuration files are included as well):
5.3.0-results
<https://drive.google.com/drive/folders/1NPkHYoffPnkvMlXIM5ytrqzBThLwXx86>
I am trying to test other modules (SMACK, Apparmor, Integrity etc. )
Still looks like there are some unrelated differences in kernel configs
among dac, mac, and selinux that aren't actually related to what you are
testing. Also, looks like there is a typo in your CONFIG_LSM for
selinux-config.txt, not sure what effect that has if any.
Looks like you are only running micro benchmarks?
What did you use as your base distribution? Fedora 31? Is SELinux
running enforcing with a policy loaded, and no denials during the
benchmark runs (i.e. no avc: denied messages in ausearch -m AVC -ts
boot or journalctl -b output)? Is the benchmark running in unconfined_t
or some other context?
However what confused me a lot is the Kconfig file in
./linux/security/Kconfig:
config LSM
string "Ordered list of enabled LSMs"
default
"newmodule,yama,loadpin,safesetid,integrity,smack,selinux,tomoyo,apparmor"
if DEFAULT_SECURITY_SMACK
default
"newmodule,yama,loadpin,safesetid,integrity,apparmor,selinux,smack,tomoyo"
if DEFAULT_SECURITY_APPARMOR
default "newmodule,yama,loadpin,safesetid,integrity,tomoyo" if
DEFAULT_SECURITY_TOMOYO
default "newmodule,yama,loadpin,safesetid,integrity" if
DEFAULT_SECURITY_DAC
default
"newmodule,yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor"
IMHO, it seems like it is a little confusing, changing it to below maybe
make it a lilttle more clear:
config LSM
string "Ordered list of enabled LSMs"
default "newmodule,yama,loadpin,safesetid,integrity, tomoyo,
apparmor, selinux, smack" if DEFAULT_SECURITY_SMACK
default "newmodule,yama,loadpin,safesetid,integrity,tomoyo,
smack, selinux, apparmor" if DEFAULT_SECURITY_APPARMOR
default "newmodule,yama,loadpin,safesetid,integrity,tomoyo" if
DEFAULT_SECURITY_TOMOYO
default "" if DEFAULT_SECURITY_DAC *# could we leave this to
empty string*
default
"newmodule,yama,loadpin,safesetid,integrity,*selinux,smack,tomoyo,apparmor"
# on Ubuntu, apparmor be the the dedault, however on centos etc, maybe
selinux be the default, on andriod smack as default *
Any suggestions on clean up the code on this part please?
I could be wrong but I think the ordering is to preserve the old
behavior of DEFAULT_SECURITY_FOO while still allowing future stacking
if/when it is supported by the respective modules. So the default major
module has to precede any other major modules in the list in order to
win at registration time.
BTW Android uses SELinux [1], not Smack.
[1] http://selinuxproject.org/page/SEAndroid
