[sds@epoch.ncsc.mil: Re: Updated SELinux Release]

To: debian-devel@lists.debian.org
Subject: [sds@epoch.ncsc.mil: Re: Updated SELinux Release]
From: Luke Kenneth Casson Leighton <lkcl@lkcl.net>
Date: Thu, 4 Nov 2004 17:19:26 +0000
Message-id: <[🔎] 20041104171926.GG5461@lkcl.net>

----- Forwarded message from Stephen Smalley <sds@epoch.ncsc.mil> -----

Envelope-to: lkcl@localhost
Delivery-date: Thu, 04 Nov 2004 16:37:30 +0000
X-Sieve: CMU Sieve 2.2
Subject: Re: Updated SELinux Release
From: Stephen Smalley <sds@epoch.ncsc.mil>
To: Manoj Srivastava <manoj.srivastava@stdc.com>
Cc: selinux@tycho.nsa.gov
Organization: National Security Agency
X-Mailing-List: selinux-tycho.nsa.gov
X-hands-com-MailScanner: Found to be clean
X-MailScanner-From: owner-selinux@tycho.ncsc.mil

On Thu, 2004-11-04 at 02:02, Manoj Srivastava wrote:
> 	Moving waaay forward. I asked the Debian kernel team to
>  consider  compiling in SELinux (perhaps disabled by default, for
>  starters), and was told that that is not going to fly because of
>  "significant performance hit" one takes by compiling SELinux in.  I
>  did not have any data to refute the claim, so  that is where we sit.

Given that SELinux supports disabling both at boot time (via selinux=0)
and at runtime (via /selinux/disable, only useable prior to the initial
policy load, used by the patched /sbin/init when /etc/selinux/config
specifies disabled), the only performance impact they can truly claim is
fundamental to enabling SELinux at compile-time is the overhead of LSM
itself.  So ask for measurements showing that LSM in 2.6 imposes a
significant overhead by itself, and don't accept measurements based on
old versions of LSM prior to 2.6.

> 	While a laudable long term goal, the reality is that most
>  distributions do not ship these utilities today, and in the case of
>  Debian, progress, while it is happening, is slow enough that
>  pragmatism requires we consider the reality that SELinux shall _not_
>  be the default in the near term.

Fedora (and RHEL4) and Hardened Gentoo have extensive SELinux
integration, and SuSE 9.x had the SELinux code included in the kernel
and a subset of the userland, just disabled by default.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

----- End forwarded message -----

-- 
--
you don't have to BE MAD   | this space    | my brother wanted to join mensa,
  to work, but   IT HELPS  |   for rent    | for an ego trip - and get kicked 
 you feel better!  I AM    | can pay cash  | out for a even bigger one.
--

Reply to:

Prev by Date: Synching mirrors and clients (was: Re: apt-proxy v2 and rsync)
Next by Date: Re: Synching mirrors and clients (was: Re: apt-proxy v2 and rsync)
Previous by thread: Re: Synching mirrors and clients (was: Re: apt-proxy v2 and rsync)
Next by thread: My fan is out of control - Help!!
Index(es):
- Date
- Thread