Re: [SE/Linux] status / progress report 13jun2004

To: debian-devel@lists.debian.org
Cc: Christoph Hellwig <hch@lst.de>, SE-Linux <selinux@tycho.nsa.gov>, debian-user@lists.debian.org
Subject: Re: [SE/Linux] status / progress report 13jun2004
From: Russell Coker <russell@coker.com.au>
Date: Mon, 14 Jun 2004 17:35:59 +1000
Message-id: <[🔎] 200406141735.59407.russell@coker.com.au>
Reply-to: russell@coker.com.au
In-reply-to: <[🔎] 20040613170146.GA14854@lst.de>
References: <[🔎] 20040613153648.GB26207@lkcl.net> <[🔎] 20040613170146.GA14854@lst.de>

On Mon, 14 Jun 2004 03:01, Christoph Hellwig <hch@lst.de> wrote:
> On Sun, Jun 13, 2004 at 03:36:48PM +0000, Luke Kenneth Casson Leighton 
wrote:
> > * debian kernels need to be available compiled with se/linux security
> >   enabled (and boot-time optional) by default.  this results in a
> >   2% performance hit (wow big deal) when se/linux is not enabled
> >   at boot time.  Gentoo, SuSE and Fedora all accept this 2%.
>
> It's actually disabled again (compiled in but disabled) in SuSE because
> the performance hit was much much worse.  And I remember benchmark
> numbers where the lsm hooks alone decreased the SpecWeb numbers on ia64
> by more than 10%.  I'd vote strongy against enabling LSM in the Debian
> kernel images.

In other distributions more features are enabled by default to reduce the 
support costs (people will install the wrong kernel package and file bug 
reports).  In Debian choices are offered for everything, there are several 
mail servers, several POP servers, having several builds for the kernel is 
not a big deal.

Currently there has not been a large demand for SMP SE Linux kernels.  So 
adding a new kernel binary package that's the same as the default one for the 
most common CPU but with SE Linux enabled should be easy enough to do.

1-386 1-586tsc 1-686 1-686-smp 1-k6 1-k7 1-k7-smp speakup alpha amiga arm 
atari bvme6000 hppa i386 ia64 mac mvme147 mvme16x q40 s390

From a quick grep of the packages list the above seems to be the list of 
supported Debian kernel binary packages.  Adding a 686-selinux package and 
compelling anyone who wants SE Linux on anything other than a 686 single-CPU 
machine to compile their own kernel should make most people reasonably happy.  
Athlon's generally run i686 code well.

The architectures listed are for 2.4.x kernels - not all architectures support 
2.6.x yet.  I suggest that Debian not provide any binaries to support 2.4.x 
SE Linux kernels, it's just too much work to keep them maintained.  I have 
been thinking of requesting that my package kernel-patch-2.4-lsm be removed 
from Debian as it usually takes more than a month for me to catch up with a 
new kernel.org release.

I don't have the time to build such kernel binaries though, so someone else 
will have to volunteer.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

Reply to:

Follow-Ups:
- Re: [SE/Linux] status / progress report 13jun2004
  - From: James Morris <jmorris@redhat.com>

References:
- [SE/Linux] status / progress report 13jun2004
  - From: Luke Kenneth Casson Leighton <lkcl@lkcl.net>
- Re: [SE/Linux] status / progress report 13jun2004
  - From: Christoph Hellwig <hch@lst.de>

Prev by Date: Ecartis command results: -- Binary/unsupported file stripped by Ecartis --
Next by Date: Re: [SE/Linux] status / progress report 13jun2004
Previous by thread: Re: [SE/Linux] status / progress report 13jun2004
Next by thread: Re: [SE/Linux] status / progress report 13jun2004
Index(es):
- Date
- Thread