On Tue, 2005-11-15 at 07:59 -0500, James Morris wrote:
> On Tue, 15 Nov 2005, Stephen Smalley wrote:
>
> > On Mon, 2005-11-14 at 18:07 -0500, James Morris wrote:
> > > Ok. I also wonder how whether we still need CONFIG_SECURITY_NETWORK at
> > > all.
> >
> > Possibly not. Might be worth running network benchmarks with it
> > disabled and enabled, with selinux=0 in both cases, just to see what
> > overhead the LSM hooks impose (if any). sock_rcv_skb is likely the only
> > real concern.
>
> Even if it does impose an overhead, I don't see that it's useful as an
> option. People generally either enable LSM for SELinux or not.

True. However, I can envision people who want to apply SELinux for local confinement of processes without necessarily caring about the network controls, and I can further envision them not wanting the performance overhead on the network path created by e.g. the sock_rcv_skb hook and the netfilter hooks. So that seems like a reasonable configuration option. The current CONFIG_SECURITY_NETWORK isn't very useful in that respect because it covers not only those networking checks but also the socket hooks, including the checking for Unix/local sockets.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.