Valdis.Kletnieksvt.edu
Date: Fri Jan 09 2004 - 15:27:21 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, 09 Jan 2004 11:28:50 +0530, "Aditya [ Aditya Lalit Deshmukh ]" <adityaonline.gateway.technolabs.net> said:

> this would be a very bad idea as any kernel level programmer will tell you
> that every 'if' takes time for comparison and you will be doing that every time
> for evry file access and parsing through a list of datastructs and other stuff
> that would possibally will make the system very slow for any "real world" use

Odd, I'm running SELinux, which calls a hook on most system calls, and the slowdown
isn't noticable. On the other hand, much thought went into work on optimizing
the speed (hint 1: a linear search through a list is NOT the way to do it).

The problem is that properly defining all the security contexts is tricky - for
instance, you may want to make "which filenames are bad" depend on the program.
There's places in the filesystem you want /bin/ls to be able to look but you
don't want /bin/passwd to be looking.

The policy.conf file for the SELinux on my laptop is 55,000+ lines long. And
that's the REAL issue - trying to describe the security policy for a production
system....

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001

iD8DBQE//xy5cC3lWbTT17ARAqxvAKDQB7vN3PsP5aSw4ZJ5wq5lcF1gsgCfbhEC
6drmDVfLedjLmqHrtUcOCrQ=
=OvpD
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]