----- Forwarded message from Stephen Smalley <[EMAIL PROTECTED]> -----
Envelope-to: [EMAIL PROTECTED] Delivery-date: Thu, 04 Nov 2004 16:37:30 +0000 X-Sieve: CMU Sieve 2.2 Subject: Re: Updated SELinux Release From: Stephen Smalley <[EMAIL PROTECTED]> To: Manoj Srivastava <[EMAIL PROTECTED]> Cc: [EMAIL PROTECTED] Organization: National Security Agency X-Mailing-List: selinux-tycho.nsa.gov X-hands-com-MailScanner: Found to be clean X-MailScanner-From: [EMAIL PROTECTED] On Thu, 2004-11-04 at 02:02, Manoj Srivastava wrote: > Moving waaay forward. I asked the Debian kernel team to > consider compiling in SELinux (perhaps disabled by default, for > starters), and was told that that is not going to fly because of > "significant performance hit" one takes by compiling SELinux in. I > did not have any data to refute the claim, so that is where we sit. Given that SELinux supports disabling both at boot time (via selinux=0) and at runtime (via /selinux/disable, only useable prior to the initial policy load, used by the patched /sbin/init when /etc/selinux/config specifies disabled), the only performance impact they can truly claim is fundamental to enabling SELinux at compile-time is the overhead of LSM itself. So ask for measurements showing that LSM in 2.6 imposes a significant overhead by itself, and don't accept measurements based on old versions of LSM prior to 2.6. > While a laudable long term goal, the reality is that most > distributions do not ship these utilities today, and in the case of > Debian, progress, while it is happening, is slow enough that > pragmatism requires we consider the reality that SELinux shall _not_ > be the default in the near term. Fedora (and RHEL4) and Hardened Gentoo have extensive SELinux integration, and SuSE 9.x had the SELinux code included in the kernel and a subset of the userland, just disabled by default. -- Stephen Smalley <[EMAIL PROTECTED]> National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to [EMAIL PROTECTED] with the words "unsubscribe selinux" without quotes as the message. ----- End forwarded message ----- -- -- you don't have to BE MAD | this space | my brother wanted to join mensa, to work, but IT HELPS | for rent | for an ego trip - and get kicked you feel better! I AM | can pay cash | out for a even bigger one. --