Re: A filename to label translation daemon

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Daniel J Walsh <dwalsh@redhat.com>
To: russell@coker.com.au
Cc: Colin Walters <walters@verbum.org>,
	Eric Paris <eparis@redhat.com>,
	selinux@tycho.nsa.gov, lennart@poettering.net, sds@tycho.nsa.gov
Subject: Re: A filename to label translation daemon
Date: Thu, 09 Aug 2012 13:06:36 -0400	[thread overview]
Message-ID: <5023EE1C.5060205@redhat.com> (raw)
In-Reply-To: <201208100037.21877.russell@coker.com.au>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/09/2012 10:37 AM, Russell Coker wrote:
> On Thu, 9 Aug 2012, Colin Walters <walters@verbum.org> wrote:
>> Seems to make sense...though someone could also probably get fairly far 
>> by writing a regular expression optimizer.  It might not even be that 
>> hard to write a multi-regexp matching engine which took a set of regexps 
>> at once and constructed a single matching DFA for them.
> 
> Is this really going to help?  My slowest system is a P3-866 which takes
> less than 30ms of user time for "restorecon /bin/bash" and takes a total of
> 136ms of wall time if the cache is cold.  On a 1.8GHz 64bit system it's
> only 8ms of user time.
> 
> What benefit are we expecting to get here?
> 
kerberos library currently does a matchpathcon on /tmp/BLAH files and sets the
label correctly.  With this change in the library we are seeing huge
performance hits of apache services caused by loading the regex.

Running make install has caused a huge hit if you are running thousands of
install commands which caused the remove of labeling from the install command.

Systemd has been is executing the load load many many times and is showing up
to 1 second slow down on startup.  If the startup is 10 seconds, it is kind of
hard to justify 10% slowdown on boot.

I believe we just add support for this service and have the labeling fall back
to the default if the labeling socket does not exists, and then distributions
can decide whether or not they want to use it.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAlAj7hsACgkQrlYvE4MpobM/BACfdD0TsYmGFyRc6vh+P4xIMcUB
wzEAn2fTC1sAO7MsA7xlBZoAvmfJsBDI
=bIvH
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

next prev parent reply	other threads:[~2012-08-09 17:06 UTC|newest]

Thread overview: 26+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-08-08 19:31 A filename to label translation daemon Eric Paris
2012-08-08 20:05 ` Stephen Smalley
2012-08-08 20:52   ` Daniel J Walsh
2012-08-08 20:55   ` Eric Paris
2012-08-08 21:26 ` Colin Walters
2012-08-09 14:37   ` Russell Coker
2012-08-09 17:06     ` Daniel J Walsh [this message]
2012-08-09 17:51       ` Colin Walters
     [not found]         ` <20120810141101.GC32076@tango.0pointer.de>
     [not found]           ` <20120810141747.GA909@tango.0pointer.de>
2012-08-13 17:36             ` Daniel J Walsh
2012-08-13 17:55               ` Colin Walters
2012-08-13 18:06                 ` Daniel J Walsh
2012-08-14 11:18                 ` Russell Coker
2012-08-14 12:38                   ` Eric Paris
2012-08-14 14:01                     ` Eric Paris
2012-08-14 16:48                       ` Stephen Smalley
2012-08-14 17:21                         ` Eric Paris
2012-08-14 22:34                         ` Russell Coker
2012-08-15  5:56                     ` Russell Coker
2012-08-15 13:22                       ` Eric Paris
2012-08-16 23:51                         ` Eric Paris
2012-08-10  2:28       ` Russell Coker
2012-08-10 12:39         ` Daniel J Walsh
2012-08-10 13:35           ` Russell Coker
2012-08-12 11:02             ` Daniel J Walsh
     [not found]           ` <20120810140503.GB32076@tango.0pointer.de>
2012-08-12 11:03             ` Daniel J Walsh
     [not found]               ` <20120813151821.GB4861@redhat.com>
2012-08-13 16:37                 ` Daniel J Walsh

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=5023EE1C.5060205@redhat.com \
    --to=dwalsh@redhat.com \
    --cc=eparis@redhat.com \
    --cc=lennart@poettering.net \
    --cc=russell@coker.com.au \
    --cc=sds@tycho.nsa.gov \
    --cc=selinux@tycho.nsa.gov \
    --cc=walters@verbum.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.