Re: Compiling in SELinux in the default kernels
On Fri, Nov 05, 2004 at 01:39:10AM -0600, Manoj Srivastava wrote:
> Hi,
>
> I would once again like to bring up the possibility of
> compiling in support for SELinux in 2.6.9+ kernels, but leaving them
> disabled by default at boot time. This can be accomplished by
> setting CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE==0 in the
> configuration (I am attaching a suggested set of security related
> configuration options below).
>
> The last time I brought it up, I was told that his has already
> come up on the list, and the reason we do not compile in SELinux is
> that there is a performance hit on doing so.
>
> On doing further research, I have discovered that yes, there
> is a 5-7% performance penalty on *running* SELinux -- but that is a
> whole different ball game. If SELinux is compiled in, and disabled at
> boot, there is no discernible performance hit -- benchamrks show that
> any effect is lost in the noise (since the only effect is that of the
> LSM hooks alone).
>
> I think this would be really helpful to our users, since then
> they can chose to try out SELinux by just adding a stanza to grub or
> lilo -- try things out in non-enforcing mode, for instance.
>
> I also notice that 2.6.9 kernels are not slated for Sarge
> (having just acquired an grave bug to ensure that), I strongly urge
> that the 2.6.9 kernel configuration be modified for SELinux.
Manoj,
That sounds find to me on all counts - especially the no performance hit
by default, and not included in stable until post sarge counts. I will
put the change into SVN. Other members of the Kernel Team can reverse
it if they feel the need.
--
Horms
Reply to: