How NSA access was built into Windows

Stephen Smalley sds at tycho.nsa.gov
Mon Jan 22 15:13:37 UTC 2007 

On Sun, 2007-01-21 at 17:11 -0500, Gene Heskett wrote:
> On Sunday 21 January 2007 14:36, Lyvim Xaphir wrote:
> >On Sun, 2007-01-21 at 01:14 -0500, R. G. Newbury wrote:
> >> David Boles wrote:
> [and I snipped, we have enough trolls under this bridge already]
> 
> Also, to add a bit of fuel to the fire, I just rebuilt my 2.6.20-rc4 again 
> after having found some more selinux stuff in the previous build that I 
> am now running without.
> 
> 1: Now my logs are clean again.
> 
> 2: It took me 27 minutes to build that selinux free kernel.  Now check 
> this, after having added quite a few usb network related modules as I'm 
> trying to get into a wap11 via the usb port, which will allow me to do a 
> reset to factory, something I cannot do from the snmp interface because 
> that interface requires the old password, something I've forgotten in the 
> 8 months since I last used this device.
> 
> #> time ./makeit
> [snip about 200k of make output]
> All done! Edit grub.conf, reboot and chose your kernel at the grub prompt
> 
> real    8m42.183s
> user    4m21.606s
> sys     1m11.805s
> [root at coyote linux-2.6.20-rc4]#                 
> 
> Now, I could have done something to speed this system up that's not 
> related to selinux, but the only things I've done is to rip out the livna 
> versions of mplayer and mplayerplugin with --nodeps, and put them back in 
> from dries before they were missed, and then restart firefox from its own 
> file menu pulldown, (normal quits and re-runs didn't seem to do it) and 
> now both foxnews and cnn video's now play, although cnn's videos act like 
> the server is in need of quite a bit more iron in its diet.
> 
> Now, somebody, preferably Dr. Smalley, please explain to me why I should 
> run something that takes a 9 minute compile and makes it take 27 minutes 
> to do it.  And the rest of the system just plain feels snappier.

(1) I'm not a PhD.
(2) If SELinux tripled your kernel compile time, then something is
terribly wrong with it.  I've never seen that kind of overhead in kernel
compile benchmarks, not even close.  More like a few percent.  Please
verify that you are using comparable baselines (e.g. same kernel other
than selinux options in .config) and tests (are you sure your second
build was from a clean state, and was there any other system activity
ongoing during either build?).  Can you reproduce the result reliably?
Were any audit/avc messages generated during either build,
to /var/log/messages or /var/log/audit/audit.log (if running auditd)?

-- 
Stephen Smalley
National Security Agency

More information about the fedora-list mailing list