Bug#249510: acknowledged by developer (selinux in debian kernel)
it's not a severe performance penalty. especially when it's disabled by default with selinux=0. On Wed, Sep 29, 2004 at 08:33:08AM -0700, Debian Bug Tracking System wrote: This is an automatic notification regarding your Bug report #249510: kernel-image-2.6.5-1-686: can SELinux please be compiled in (and then disabled by default), which was filed against the kernel package. It has been closed by one of the developers, namely maks attems [EMAIL PROTECTED]. Their explanation is attached below. If this explanation is unsatisfactory and you have not received a better one in a separate message then please contact the developer, by replying to this email. Debian bug tracking system administrator (administrator, Debian Bugs database) Received: (at 249510-done) by bugs.debian.org; 29 Sep 2004 15:12:33 + From [EMAIL PROTECTED] Wed Sep 29 08:12:33 2004 Return-path: [EMAIL PROTECTED] Received: from baikonur.stro.at [213.239.196.228] by spohr.debian.org with esmtp (Exim 3.35 1 (Debian)) id 1CCg89-0008KG-00; Wed, 29 Sep 2004 08:12:33 -0700 Received: from localhost (localhost [127.0.0.1]) by baikonur.stro.at (Postfix) with ESMTP id 473625C069 for [EMAIL PROTECTED]; Wed, 29 Sep 2004 17:12:30 +0200 (CEST) Received: from baikonur.stro.at ([127.0.0.1]) by localhost (baikonur [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 05029-01 for [EMAIL PROTECTED]; Wed, 29 Sep 2004 17:12:29 +0200 (CEST) Received: from sputnik (stallburg.stro.at [128.131.216.190]) by baikonur.stro.at (Postfix) with ESMTP id B92CC5C00A for [EMAIL PROTECTED]; Wed, 29 Sep 2004 17:12:29 +0200 (CEST) Received: from max by sputnik with local (Exim 4.34) id 1CCg8I-me-J3 for [EMAIL PROTECTED]; Wed, 29 Sep 2004 17:12:42 +0200 Date: Wed, 29 Sep 2004 17:12:42 +0200 From: maks attems [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: selinux in debian kernel Message-ID: [EMAIL PROTECTED] Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.6+20040722i Sender: maximilian attems [EMAIL PROTECTED] X-Virus-Scanned: by Amavis (ClamAV) at stro.at Delivered-To: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Status: No, hits=-3.0 required=4.0 tests=BAYES_00 autolearn=no version=2.60-bugs.debian.org_2004_03_25 X-Spam-Level: current selinux suffers severe performance problems, the developper are working on this for post 2.6.8. -- maks kernel janitorhttp://janitor.kernelnewbies.org/ -- -- Truth, honesty and respect are rare commodities that all spring from the same well: Love. If you love yourself and everyone and everything around you, funnily and coincidentally enough, life gets a lot better. -- a href=http://lkcl.net; lkcl.net /a br / a href=mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] /a br /
Bug#249510: acknowledged by developer (selinux in debian kernel)
On Wed, Sep 29, 2004 at 09:14:20PM +0100, Luke Kenneth Casson Leighton wrote: it's not a severe performance penalty. especially when it's disabled by default with selinux=0. Yes, all the indirect calls due to CONFIG_SECURITY are a performance penalty.
Bug#249510: acknowledged by developer (selinux in debian kernel)
On Wed, Sep 29, 2004 at 10:33:28PM +0200, Christoph Hellwig wrote: On Wed, Sep 29, 2004 at 09:14:20PM +0100, Luke Kenneth Casson Leighton wrote: it's not a severe performance penalty. especially when it's disabled by default with selinux=0. Yes, all the indirect calls due to CONFIG_SECURITY are a performance penalty. ... of about 2%. sufficiently insignificant for both redhat _and_ suse to have started shipping, six months ago, kernels with selinux compiled in and disabled by default. l.
Bug#249510: acknowledged by developer (selinux in debian kernel)
On Wed, Sep 29, 2004 at 10:54:21PM +0100, Luke Kenneth Casson Leighton wrote: On Wed, Sep 29, 2004 at 10:33:28PM +0200, Christoph Hellwig wrote: On Wed, Sep 29, 2004 at 09:14:20PM +0100, Luke Kenneth Casson Leighton wrote: it's not a severe performance penalty. especially when it's disabled by default with selinux=0. Yes, all the indirect calls due to CONFIG_SECURITY are a performance penalty. ... of about 2%. sufficiently insignificant for both redhat _and_ suse to have started shipping, six months ago, kernels with selinux compiled in and disabled by default. It's more like 5% for the benchmarks I've seen (from HP), and yes, they complained to SuSE loudly because of that.
Bug#249510: acknowledged by developer (selinux in debian kernel)
On Wed, Sep 29, 2004 at 11:47:20PM +0200, Christoph Hellwig wrote: On Wed, Sep 29, 2004 at 10:54:21PM +0100, Luke Kenneth Casson Leighton wrote: On Wed, Sep 29, 2004 at 10:33:28PM +0200, Christoph Hellwig wrote: On Wed, Sep 29, 2004 at 09:14:20PM +0100, Luke Kenneth Casson Leighton wrote: it's not a severe performance penalty. especially when it's disabled by default with selinux=0. Yes, all the indirect calls due to CONFIG_SECURITY are a performance penalty. ... of about 2%. sufficiently insignificant for both redhat _and_ suse to have started shipping, six months ago, kernels with selinux compiled in and disabled by default. It's more like 5% for the benchmarks I've seen (from HP), and yes, they complained to SuSE loudly because of that. 2%, 5% - it's not 10% and it's not 20% is is? 20%+ is a severe performance penalty. ... what's the cutoff point at which a decision can be made to encourage people to take security seriously rather than to believe speed is all-important? if people _desperately_ need their 5% performance back, they can compile the kernel - and all applications - with gcc 3.4 or greater, using arguments specifically tailored for their architecture, and they can use prelink. that way they will get, like the new yoper distribution and like gentoo, a whopping great performance boost. l. -- -- Truth, honesty and respect are rare commodities that all spring from the same well: Love. If you love yourself and everyone and everything around you, funnily and coincidentally enough, life gets a lot better. -- a href=http://lkcl.net; lkcl.net /a br / a href=mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] /a br /