From: Stephen Smalley <sds@tycho.nsa.gov>
To: ivg2@cornell.edu
Cc: James Morris <jmorris@redhat.com>,
Karl MacMillan <kmacmillan@tresys.com>,
selinux@tycho.nsa.gov, "'Daniel J Walsh'" <dwalsh@redhat.com>
Subject: RE: file contexts and modularity
Date: Fri, 24 Jun 2005 08:21:50 -0400 [thread overview]
Message-ID: <1119615710.12865.57.camel@moss-spartans.epoch.ncsc.mil> (raw)
In-Reply-To: <1119558539.16753.74.camel@celtics.boston.redhat.com>
On Thu, 2005-06-23 at 16:28 -0400, Ivan Gyurdiev wrote:
> it still takes 4 seconds for useradd to load the policy.
> It's awfully slow.... that's 2x policydb_read, because of
> the verify-after-write.
This is something that I think merits further discussion. I think that
the real problem is that the avtab size has grown far beyond what we
originally anticipated and this is hurting us both in time (to
manipulate policies, to load policies, and even to search the avtab) and
in space (kernel memory consumption by the avtab is huge). We certainly
didn't expect the avtab to reach 484,677 distinct entries (FC4 strict
policy) and even the targeted policy in FC4 is now up to 215886 entries.
While the loadable/binary policy module work may help somewhat by
allowing us to omit policy modules easily for packages that are not
installed and the userspace security server will allow us to omit
userspace policy from the kernel, I still expect this to be a problem
for default installs and general purpose systems, particularly as we
begin to extend SELinux into securing the desktop. This suggests that
we may need to refactor the data representation for the avtab, replacing
it with a more compact representation that will require more complex and
likely slower computation in the kernel for security_compute_av (but
this should mostly be hidden by the AVC). In effect, something more
like the avrules of the module work, i.e. more like policy.conf itself,
where we can store multiple classes and multiple types in a single
entry, and possibly even preserve the notion of type attributes to
reduce the need for storing the same (large) type set repeatedly. Also,
a direct representation of the notion of unconfined might be useful in
eliminating policy bloat, although that is difficult to capture and
targeted policy has been denying even unconfined certain permissions if
certain booleans are disabled (e.g. execmem/execmod).
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2005-06-24 12:21 UTC|newest]
Thread overview: 59+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-06-23 3:00 file contexts and modularity Ivan Gyurdiev
2005-06-23 17:37 ` Karl MacMillan
2005-06-23 18:05 ` Ivan Gyurdiev
2005-06-23 18:21 ` Karl MacMillan
2005-06-23 18:25 ` Ivan Gyurdiev
2005-06-23 18:40 ` Karl MacMillan
2005-06-23 19:00 ` Ivan Gyurdiev
2005-06-23 19:39 ` Karl MacMillan
2005-06-23 20:28 ` Ivan Gyurdiev
2005-06-23 20:36 ` Ivan Gyurdiev
2005-06-24 12:08 ` Stephen Smalley
2005-06-24 15:43 ` Ivan Gyurdiev
2005-06-24 18:32 ` Stephen Smalley
2005-06-24 18:37 ` Ivan Gyurdiev
2005-06-24 12:21 ` Stephen Smalley [this message]
2005-06-24 14:30 ` Karl MacMillan
2005-06-24 16:05 ` Karl MacMillan
2005-06-24 18:05 ` Frank Mayer
2005-06-24 18:40 ` Stephen Smalley
2005-06-28 15:41 ` Karl MacMillan
2005-06-28 16:21 ` Stephen Smalley
2005-06-24 15:51 ` Casey Schaufler
2005-06-24 16:36 ` Karl MacMillan
2005-06-24 16:47 ` Casey Schaufler
2005-06-24 16:56 ` Karl MacMillan
2005-06-24 17:10 ` Casey Schaufler
2005-06-24 15:39 ` Karl MacMillan
2005-06-24 16:03 ` Ivan Gyurdiev
2005-06-24 16:28 ` Karl MacMillan
2005-06-24 17:56 ` Ivan Gyurdiev
2005-06-27 15:07 ` Karl MacMillan
2005-06-27 15:36 ` Ivan Gyurdiev
2005-06-27 17:25 ` Karl MacMillan
2005-06-27 17:56 ` Ivan Gyurdiev
2005-06-28 13:47 ` Karl MacMillan
2005-06-28 19:31 ` Ivan Gyurdiev
2005-06-29 17:28 ` Ivan Gyurdiev
2005-06-29 18:17 ` Karl MacMillan
2005-06-29 18:46 ` Ivan Gyurdiev
2005-06-29 18:53 ` Stephen Smalley
2005-06-29 19:04 ` Karl MacMillan
2005-06-29 19:24 ` Ivan Gyurdiev
2005-06-29 19:50 ` Stephen Smalley
2005-06-29 20:03 ` Ivan Gyurdiev
2005-06-29 20:09 ` Stephen Smalley
2005-06-29 20:22 ` Ivan Gyurdiev
2005-06-30 13:54 ` Stephen Smalley
2005-06-29 20:22 ` Janak Desai
2005-06-29 20:43 ` Ivan Gyurdiev
2005-06-30 13:53 ` Ivan Gyurdiev
2005-06-30 13:58 ` Stephen Smalley
2005-06-30 14:48 ` Karl MacMillan
2005-06-30 14:52 ` Stephen Smalley
2005-06-30 13:56 ` Stephen Smalley
2005-06-29 20:13 ` Janak Desai
2005-06-30 0:40 ` Luke Kenneth Casson Leighton
2005-06-29 19:04 ` Karl MacMillan
2005-06-29 19:20 ` Ivan Gyurdiev
2005-06-24 5:03 ` Ivan Gyurdiev
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1119615710.12865.57.camel@moss-spartans.epoch.ncsc.mil \
--to=sds@tycho.nsa.gov \
--cc=dwalsh@redhat.com \
--cc=ivg2@cornell.edu \
--cc=jmorris@redhat.com \
--cc=kmacmillan@tresys.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.