Re: Top 5 things that aren't in Debian but should be :-)

To: Dan Shearer <dan@shearer.org>
Cc: Martin Pitt <martin@piware.de>, debian-devel@lists.debian.org
Subject: Re: Top 5 things that aren't in Debian but should be :-)
From: Russell Coker <russell@coker.com.au>
Date: Mon, 19 Jan 2004 22:13:48 +1100
Message-id: <[🔎] 200401192213.48155.russell@coker.com.au>
Reply-to: russell@coker.com.au
In-reply-to: <[🔎] 20040119024223.GC15281@erizo.shearer.org>
References: <[🔎] 20040111195339.GI15281@erizo.shearer.org> <[🔎] 200401151639.34056.russell@coker.com.au> <[🔎] 20040119024223.GC15281@erizo.shearer.org>

On Mon, 19 Jan 2004 13:42, Dan Shearer <dan@shearer.org> wrote:
> > SE Linux is in 2.6.0 and 2.6.1.  Herbert has stated that he will build SE
> > Linux into 2.6.1 if he has time.
>
> Good. Doesn't cost anything if you don't use it, or at least, if the
> costs are noticeable for you you'll be building your own kernel anyway.

http://www.coker.com.au/selinux/talks/ols2003/
See the above URL for my paper from OLS 2003 on the resource usage of SE 
Linux.  The new version of SE Linux (IE the currently supported version) 
changes things a bit (and I have not compared it in detail), but the 
difference does not appear to be great.

When I was doing the tests for my OLS paper I found SE Linux to take 36K of 
kernel memory when compiled in but not being used, and 45K for the kernel 
image.  Since that time James Morris of Red Hat has made some changes which 
decrease the resource usage of SE Linux when it is compiled in but not used.  
These changes should decrease memory use and also avoid any measurable CPU 
cost.  Without James's CONFIG_SECURITY_SELINUX_BOOTPARAM kernel option a SE 
Linux kernel that is not being used for SE Linux may impose a performance 
overhead of up to 2% on some operations.

I suggested to Herbert that he could reverse the default of the kernel 
parameter used by this option so that by default SE Linux is disabled and 
avoids the 2% cose on some operations.  Then people who want SE Linux would 
need to put "selinux=1" in the append section of lilo.conf (or whatever is 
appropriate for Grub).

> > Steve Kemp's gcc has been working well for me.  I've built kernels and
> > applications with it and not found any problems.  I expect that it will
> > become a standard feature in Debian's gcc soon.
>
> What makes you so confident about this?  I agree that Steve's GCC
> (packaging some work from IBM research, see http://www.steve.org.uk)
> seems to work but there's a long jump between that and saying it is
> ready to unleash on everyone. I've not heard any reports from embedded
> users for example and I've never asked gdb developers what they think of
> it either -- just to pick two examples of possible problems that occur
> to me on the spot. Maybe someone has done lots of homework on this, the
> IBM people perhaps.

I have confidence in the ability of the IBM people to do their homework.  Also 
the Adamantix people have been using SSP to recompile all of woody and 
apparently have found it to work well.  It works for them and it should work 
for us.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

Reply to:

References:
- Top 5 things that aren't in Debian but should be :-)
  - From: Dan Shearer <dan@shearer.org>
- Re: Top 5 things that aren't in Debian but should be :-)
  - From: Russell Coker <russell@coker.com.au>
- Re: Top 5 things that aren't in Debian but should be :-)
  - From: Dan Shearer <dan@shearer.org>

Prev by Date: Re: zsh: file size limit exceeded mozilla-firebird
Next by Date: Re: new portmap packages, testers wanted
Previous by thread: Re: Top 5 things that aren't in Debian but should be :-)
Next by thread: Re: Top 5 things that aren't in Debian but should be :-)
Index(es):
- Date
- Thread