[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: How NSA access was built into Windows



On Fri, 2007-01-19 at 07:40 -0500, Stephen Smalley wrote:
> The entire discussion of allowing one to rpm -e libselinux is a red
> herring; applications already perform an is_selinux_enabled() test
> before performing SELinux processing and skip it if disabled.
> Supporting removal of libselinux would just mean that those
> applications would first dlopen() libselinux (vs. direct calls to the
> libselinux functions, which create the current fixed link-time
> dependency) and fall back to the selinux-disabled code path if
> libselinux isn't present.  But in both cases, you are relying on the
> application code to follow the right branch and to truly skip all
> SELinux processing when selinux isn't enabled / libselinux isn't
> present.  It might make a difference in terms of code bloat (although
> libselinux isn't that big and you are trading off runtime performance
> for the dlopen), but it doesn't change the trust issues. 

For some people, having it running certainly causes a performance loss.
Whether that's down to SELinux, itself, or the logging, I've not
experimented with.

-- 
(Currently testing FC5, but still running FC4, if that's important.)

Don't send private replies to my address, the mailbox is ignored.
I read messages from the public lists.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]