From: Ole Kliemann <ole@plastictree.net>
To: Stephen Smalley <sds@tycho.nsa.gov>
Cc: selinux@tycho.nsa.gov, Eric Paris <eparis@redhat.com>
Subject: Re: SELinux performance depending on type count
Date: Fri, 10 Aug 2012 20:46:53 +0200 [thread overview]
Message-ID: <20120810184653.GK2296@telvanni> (raw)
In-Reply-To: <1344622106.10631.75.camel@moss-pluto.epoch.ncsc.mil>
[-- Attachment #1.1: Type: text/plain, Size: 1215 bytes --]
On Fri, Aug 10, 2012 at 02:08:26PM -0400, Stephen Smalley wrote:
> On Fri, 2012-08-10 at 19:00 +0200, Ole Kliemann wrote:
> > I don't have an auditd, not running mcstransd and also had
> > disabled restorecond.
> >
> > I take it, /sys/fs/selinux is equivalent to /selinux?
>
> Yes. /selinux moved to /sys/fs/selinux in more modern distro versions.
>
> > /sys/fs/selinux is empty on both my Ubuntu systems.
> >
> > /selinux/policyver in 26 as is the suffix of the policy file.
> >
> > Complete policy is attached. choke/src/support/choke.spt can be tuned
> > to suck even more. Do 'make load' in choke/src/ and you are good
> > to go.
>
> Ok, loaded. Now what exactly are you doing to test it?
$ runcon choke_u:choke_r:choke_t ksh -l
$ id
Then witness the lag.
If you want hard numbers, use the attached script. First start
off in system_r:unconfined_r:unconfined_t. Run the script
somewhere, /tmp e.g. For proper average value computation you
need 'bc' installed, otherwise it's rounded but doesn't matter.
Then switch to choke_u:choke_r:choke_t. Run the script here. If
it's inconclusive, start uncommenting additional attributes in
choke/src/support/choke.spt.
[-- Attachment #1.2: x.sh --]
[-- Type: application/x-sh, Size: 1122 bytes --]
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 198 bytes --]
next prev parent reply other threads:[~2012-08-10 18:46 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-08-07 13:02 SELinux performance depending on type count Ole Kliemann
2012-08-07 14:12 ` David Quigley
2012-08-07 17:07 ` William Roberts
2012-08-07 17:36 ` Daniel J Walsh
2012-08-08 20:44 ` Ole Kliemann
2012-08-09 10:45 ` Adam Tkac
2012-08-09 11:56 ` Ole Kliemann
2012-08-10 12:11 ` Ole Kliemann
2012-08-10 13:00 ` Stephen Smalley
2012-08-10 14:36 ` Ole Kliemann
2012-08-10 15:05 ` Stephen Smalley
2012-08-10 15:43 ` Ole Kliemann
2012-08-10 15:44 ` Ole Kliemann
2012-08-10 16:08 ` Stephen Smalley
2012-08-10 16:18 ` Stephen Smalley
2012-08-10 17:00 ` Ole Kliemann
2012-08-10 18:08 ` Stephen Smalley
2012-08-10 18:46 ` Ole Kliemann [this message]
2012-08-10 18:55 ` Stephen Smalley
2012-08-10 19:11 ` Ole Kliemann
2012-08-10 19:19 ` Stephen Smalley
2012-08-10 19:26 ` Ole Kliemann
2012-08-10 19:50 ` Stephen Smalley
2012-08-10 21:38 ` Ole Kliemann
2012-08-13 12:35 ` Stephen Smalley
2012-08-27 15:28 ` Ole Kliemann
2012-08-27 16:24 ` Stephen Smalley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120810184653.GK2296@telvanni \
--to=ole@plastictree.net \
--cc=eparis@redhat.com \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.