udev slowness and selinux

Daniel J Walsh dwalsh at redhat.com
Tue Dec 6 18:23:03 UTC 2005 

Jason Dravet wrote:
>> From: Stephen Smalley <sds at tycho.nsa.gov>
>> To: Jason Dravet <dravet at hotmail.com>
>> CC: Daniel J Walsh <dwalsh at redhat.com>, 
>> SELinux-dev at tresys.com,        fedora-selinux-list at redhat.com
>> Subject: Re: udev slowness and selinux
>> Date: Tue, 06 Dec 2005 10:45:14 -0500
>>
>> On Tue, 2005-12-06 at 09:24 -0600, Jason Dravet wrote:
>> > Hello,
>> >
>> > I am running todays rawhide and udev is still slow, but it is 
>> better than it
>> > was.  Here are some numbers:
>> > booting with selinux disabled: udev starts in 5 seconds
>> > booting with selinux enabled (libselinux-1.27.28-1): udev starts in 26
>> > seconds.
>> > booting with selinux enabled (older than libselinux-1.27.28-1): 
>> udev started
>> > in 50-60 seconds.
>> > I am running udev-075-4, kernel-2.6.14-1-1740, 
>> libselinux-1.27.28-1, and
>> > selinux-policy-targeted-2.0.9-1.  I am running selinux in targeted 
>> enforcing
>> > mode.
>>
>> Hmmm...I'm still not sure I understand why there has been a recent
>> slowdown, as I wouldn't have expected either reference policy or the
>> matchpathcon canonicalization to have added that much overhead
>> (particularly as we were already validating the contexts).  From your
>> numbers above, it seems that the canonicalization is adding significant
>> overhead, since the canonicalization is performed lazily in libselinux
>> 1.27.28, but we still have major overhead remaining.
>>
>> How exactly are you timing the startup time here, e.g. are you just
>> inserting a time command prior to the /sbin/start_udev call in
>> rc.sysinit or are you timing the entire sequence including the
>> Initializing hardware setup?
>>
>> udev could/should be changed to call matchpathcon_init_prefix(NULL,
>> "/dev") once at startup prior to any matchpathcon() calls to avoid the
>> overhead of processing the entire file_contexts configuration.  But I'd
>> like to get more information on where that time is being spent currently
>> as well, so I'd like to know exactly how you are measuring so I can
>> reproduce it and then try to profile it.
>>
>> -- 
>> Stephen Smalley
>> National Security Agency
>>
> I am using a stop watch to measure the time.  I start the watch when I 
> see starting udev and I stop it when I see loading default keymap.  If 
> you would like me to use a different method of timing please tell me 
> how and I will be happy to use it.
>
> Thanks,
> Jason
>
>
matchpathcon_init_prefix(NULL, "/dev")
has been added to udev, not sure when it will hit rawhide.

--

More information about the fedora-selinux-list mailing list