[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: How NSA access was built into Windows



On Fri, 2007-01-19 at 20:10 -0500, Lyvim Xaphir wrote:
> On Sat, 2007-01-20 at 08:21 +1030, Tim wrote:
> > Tim:
> > >> For some people, having it running certainly causes a performance
> > >> loss. Whether that's down to SELinux, itself, or the logging, I've
> > >> not experimented with.
> > 
> > Lyvim Xaphir:
> > > Have you been able to get around the lag with selinux=0? 
> > 
> > Not that I want to be rude, but what other method do you think I used to
> > determine it was faster without SELinux?
> 
> 
> SElinux has three modes; enforcing (or "active"), warning (or
> "permissive") and "disabled". From what you wrote here I glean that
> you've only compared "active" with "disabled", the two modes you are
> familiar with.  My question was really directed at getting to know if
> you had touched on permissive mode with regards to performance.  I just
> "assumed" that you would know that, which was my error.

Permissive mode shouldn't be any different than enforcing mode wrt
performance, aside from possible differences in what audit messages get
generated and the resulting load on the audit system.

> I understand that "echo 0 > /selinux/enforce" switches an active
> "enforcing" system to permissive mode, and "echo 1 > /selinux/disable"
> is supposed to be equivalent to disabled entirely.  I was also thinking
> that it would be interesting to observe how SElinux behaves with regard
> to performance when the echo method is used to disable, as compared to
> selinux=0.  Just for the heck of it.  Yes I know they are supposed to be
> the same, but still experimental verification couldn't hurt.

selinux=0 is better since it can be detected by SELinux immediately
during initialization and preclude any registration of hooks or
allocation of memory by SELinux.  /selinux/disable has to retroactively
unregister the hooks.  Of course, in the end, both should yield the same
runtime performance since the hooks are no longer registered, but there
could be slight variances.

-- 
Stephen Smalley
National Security Agency


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]