Re: Updated SELinux Release
On Fri, 05 Nov 2004 00:40:41 -0500, Andres Salomon <dilinger@voxel.net> said:
> Manoj, if you're referring to our conversation earlier on IRC, I
> said that I have no personal interest in selinux, but I had no
> problems with it being included as long as it's not a significant
> performance hit. I requested that you take it up on the
> debian-kernel list, though. That request still stands; the kernel
> team is not a single person, nor is it comprised an IRC channel.
I've had other conversations about this. And, incidentally, if
SELinux is compiled, but not enabled, there is _no_ perceptible hit,
significant or otherwise.
> I assume you're referring to #249510, in which Christoph mentioned
> it was a 5% performance penalty. That's significant, especially for
> people who don't care about selinux. Your argument of "well it's
> not 20%, is it?" is bogus; throwing features into the kernel, each
> having a 5% performance penalty hit, quickly add up.
Before this gets out of hand, the 5-7% performance hit is for
SELinux being enabled; merely compiling it in, and having the
default setting being that SELinux is disabled at boot time unless
selinux=1 is given on the kernel command line means there is _no_
performance hit of that magnitude.
All you have is LSM, at that point, and the number quoted
were for SELinux enabled kernels, not justr kernels with LSM.
Now, I am not proposing we enable SELinux with a tergeted
policy (which would incur the 5-7% hit) -- I am merely asking the
SELinux option be compiled in for Sarge.
manoj
--
GOOD-NIGHT, everybody ... Now I have to go administer FIRST-AID to my
pet LEISURE SUIT!!
Manoj Srivastava <srivasta@debian.org> <http://www.debian.org/%7Esrivasta/>
1024D/BF24424C print 4966 F272 D093 B493 410B 924B 21BA DABB BF24 424C
Reply to: