SELinux Mailing List - NSA/CSS

Skip All Menus Skip Top Menu

Top Navigation Menus

Research Skip Research Menus Research Menu Security Enhanced Linux What's New Frequently Asked Questions Background Documents License Download Participating Mail List Archives Remaining Work Contributors Related Work Press Releases Information Assurance Research NIARL In-house Research Areas Mathematical Sciences Program Sabbaticals Computer & Information Sciences Research Technology Transfer Advanced Computing Advanced Mathematics Communications & Networking Information Processing Microelectronics Other Technologies Technology Fact Sheets Publications Related Links	Skip Search Box Searchbox SELinux Mailing List RE: Now that SELinux supports booleans should we replace tunables with booleans? This message: [ Message body ] [ More options ] Related messages: [ Next message ] [ Previous message ] [ In reply to ] [ Next in thread ] From: Karl MacMillan <kmacmillan_at_tresys.com> Date: Wed, 14 Apr 2004 13:19:15 -0400 > -----Original Message----- > From: Russell Coker [mailto:russell@coker.com.au] > I think that the issue with performance is kernel memory use. Currently > for > FC2T2 we have 7M policydb files which roughly equates to 7M of kernel > memory > reserved, which has a huge impact on older hardware! Most of this is due > to > compiling in support for every .te file. > > For a typical machine compiling only the .te files that we need should get > this down to around 2M. So obviously for space the correct selection of > .te > files is a much more significant issue than booleans. However such > selection > of .te files requires a full environment for building policy on each > machine > (which removes one of the advantages you stated for using booleans instead > of > tunables). As configuration of policy features in ways other than removal > of > unwanted .te files becomes more popular, the volume of policy (and > therefore > size of policydb) will depend much more on such things. I expect that in > the > not too distant future we will have a factor of 2-3 in policydb size > determined by tunables. If this is all done in booleans then there will > be > some significant amounts of wasted space. > This definitely is a problem, especially since this kernel memory is not swappable. If this amount of policy is controlled by the tunables (much more than I thought) then I agree that it is best left as tunables for now. Karl Karl MacMillan Tresys Technology http://www.tresys.com (410)290-1411 ext 134 > -- > http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages > http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark > http://www.coker.com.au/postal/ Postal SMTP/POP benchmark > http://www.coker.com.au/~russell/ My home page -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. Received on Wed 14 Apr 2004 - 13:19:30 EDT This message: [ Message body ] Next message: Valdis.Kletnieks_at_vt.edu: "Re: Now that SELinux supports booleans should we replace tunables with booleans?" Previous message: Russell Coker: "Re: Now that SELinux supports booleans should we replace tunables with booleans?" In reply to: Russell Coker: "Re: Now that SELinux supports booleans should we replace tunables with booleans?" Next in thread: Valdis.Kletnieks_at_vt.edu: "Re: Now that SELinux supports booleans should we replace tunables with booleans?" Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]
	Date Posted: Jan 15, 2009 \| Last Modified: Jan 15, 2009 \| Last Reviewed: Jan 15, 2009

bottom