From: Ole Kliemann <ole@plastictree.net>
To: Stephen Smalley <sds@tycho.nsa.gov>
Cc: selinux@tycho.nsa.gov, Eric Paris <eparis@redhat.com>
Subject: Re: SELinux performance depending on type count
Date: Fri, 10 Aug 2012 19:00:08 +0200 [thread overview]
Message-ID: <20120810170008.GI2296@telvanni> (raw)
In-Reply-To: <1344615485.10631.72.camel@moss-pluto.epoch.ncsc.mil>
[-- Attachment #1.1: Type: text/plain, Size: 1227 bytes --]
On Fri, Aug 10, 2012 at 12:18:05PM -0400, Stephen Smalley wrote:
> On Fri, 2012-08-10 at 12:08 -0400, Stephen Smalley wrote:
> > On Fri, 2012-08-10 at 17:44 +0200, Ole Kliemann wrote:
> > > PS: Have you actually reproduced this problem? Could still be
> > > something else broken on my system...
> >
> > No, I haven't tried, as you didn't supply a complete policy.
> >
> > Two other items to double check:
> > - Are you running auditd, and if so, did you check that you aren't
> > flooding it? That won't show up in dmesg, only
> > in /var/log/audit/audit.log.
> >
> > - Are you running mcstrans? If so, disable it.
>
> Also, what does cat /sys/fs/selinux/policyvers show and what is the
> version suffix on the policy file under /etc/selinux/.../policy? And
> what is your kernel version?
I don't have an auditd, not running mcstransd and also had
disabled restorecond.
I take it, /sys/fs/selinux is equivalent to /selinux?
/sys/fs/selinux is empty on both my Ubuntu systems.
/selinux/policyver in 26 as is the suffix of the policy file.
Complete policy is attached. choke/src/support/choke.spt can be tuned
to suck even more. Do 'make load' in choke/src/ and you are good
to go.
[-- Attachment #1.2: choke.tar.bz2 --]
[-- Type: application/octet-stream, Size: 8877 bytes --]
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 198 bytes --]
next prev parent reply other threads:[~2012-08-10 17:00 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-08-07 13:02 SELinux performance depending on type count Ole Kliemann
2012-08-07 14:12 ` David Quigley
2012-08-07 17:07 ` William Roberts
2012-08-07 17:36 ` Daniel J Walsh
2012-08-08 20:44 ` Ole Kliemann
2012-08-09 10:45 ` Adam Tkac
2012-08-09 11:56 ` Ole Kliemann
2012-08-10 12:11 ` Ole Kliemann
2012-08-10 13:00 ` Stephen Smalley
2012-08-10 14:36 ` Ole Kliemann
2012-08-10 15:05 ` Stephen Smalley
2012-08-10 15:43 ` Ole Kliemann
2012-08-10 15:44 ` Ole Kliemann
2012-08-10 16:08 ` Stephen Smalley
2012-08-10 16:18 ` Stephen Smalley
2012-08-10 17:00 ` Ole Kliemann [this message]
2012-08-10 18:08 ` Stephen Smalley
2012-08-10 18:46 ` Ole Kliemann
2012-08-10 18:55 ` Stephen Smalley
2012-08-10 19:11 ` Ole Kliemann
2012-08-10 19:19 ` Stephen Smalley
2012-08-10 19:26 ` Ole Kliemann
2012-08-10 19:50 ` Stephen Smalley
2012-08-10 21:38 ` Ole Kliemann
2012-08-13 12:35 ` Stephen Smalley
2012-08-27 15:28 ` Ole Kliemann
2012-08-27 16:24 ` Stephen Smalley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120810170008.GI2296@telvanni \
--to=ole@plastictree.net \
--cc=eparis@redhat.com \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.