selinux and udev ?
Stephen Smalley
sds at tycho.nsa.gov
Tue Nov 29 16:48:13 UTC 2005
On Tue, 2005-11-29 at 08:20 -0800, Tom London wrote:
> There are reports in fedora-test about the 2.X policy slowing down
> udev. (Appears that folks are comparing booting with selinxux=1 with
> selinux=0).
>
> I have to admit that udev is running slower (targeted/enforcing).
>
> Any validity to this? Known issue? How to track down?
First, check whether you have any avc denials associated with udev in
your audit.log.
If not, then the slowdown is likely in matchpathcon(3), used to match a
path against the file_contexts configuration to obtain a security
context to apply to the device node. Could be a result of:
- differences in the file_contexts configurations between reference
policy and the original targeted policy (ordering, regex stem lengths,
regex complexity, number of entries, ...),
- the introduction of context canonicalization into matchpathcon(3) to
avoid problems with type aliases (in which case it shouldn't be
different between reference policy and the original targeted policy,
just between old libselinux/kernel versus newer libselinux/kernel
combination - you need both a recent libselinux and a recent kernel to
have the canonicalization support enabled).
--
Stephen Smalley
National Security Agency
More information about the fedora-selinux-list
mailing list