SELinux Mailing List - NSA/CSS

Skip All Menus Skip Top Menu

Top Navigation Menus

Research Skip Research Menus Research Menu Security Enhanced Linux What's New Frequently Asked Questions Background Documents License Download Participating Mail List Archives Remaining Work Contributors Related Work Press Releases Information Assurance Research NIARL In-house Research Areas Mathematical Sciences Program Sabbaticals Computer & Information Sciences Research Technology Transfer Advanced Computing Advanced Mathematics Communications & Networking Information Processing Microelectronics Other Technologies Technology Fact Sheets Publications Related Links	Skip Search Box Searchbox SELinux Mailing List Re: dynamic context transitions - a seteuid parallel This message: [ Message body ] [ More options ] Related messages: [ Next message ] [ Previous message ] [ In reply to ] [ Next in thread ] From: Russell Coker <russell_at_coker.com.au> Date: Wed, 3 Nov 2004 13:59:43 +1100 On Tue, 2 Nov 2004 23:49, "Frank Mayer" <mayerf@tresys.com> wrote: > So if we were honest, the real reason we want to change security content is > for performance reasons, not security assurance reason. Which probably made a lot of sense for Xenix, an 80286 was not a particularly fast CPU. I've just done a quick test of exec time. For a process to exec itself it takes an average of .9ms per exec on a P3-650. In the past we have discussed at length issues related to modifying Samba for best operation under SE Linux. It seems to me that any disk sub-system you might find attached to a P3-650 class CPU is unlikely to support 1000 operations of the form of file create/open/unlink per second. So therefore if we were to have a Samba server process fork off a child for each file open we still probably wouldn't have the exec be the bottleneck for Samba performance. Now we have to keep in mind that doing a fork/exec for every file open isn't the best way of doing such things. If we create a helper process when the SMB authentication is performed and pass requests to it via a Unix domain socket then performance should be better. What is the trend in new CPUs? Are they getting worse or better for exec performance? The only machine better than a P3-800 that I have for testing is a pitiful P-M. What programs have the greatest performance requirements in terms of launching processes under a different context? I suspect that a Samba server with the design changes we discussed could be near the top of the list, with the main competitor being a busy web server that's launching cgi-bin scripts. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. Received on Tue 2 Nov 2004 - 22:00:02 EST This message: [ Message body ] Next message: Russell Coker: "Re: Patch to make can_network stronger and remove nscd tunable." Previous message: Chris PeBenito: "Re: What policy is the system running?" In reply to: Frank Mayer: "RE: dynamic context transitions - a seteuid parallel" Next in thread: Frank Mayer: "RE: dynamic context transitions - a seteuid parallel" Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]
	Date Posted: Jan 15, 2009 \| Last Modified: Jan 15, 2009 \| Last Reviewed: Jan 15, 2009

bottom