On Fri, 2007-01-19 at 07:40 -0500, Stephen Smalley wrote: > The entire discussion of allowing one to rpm -e libselinux is a red > herring; applications already perform an is_selinux_enabled() test > before performing SELinux processing and skip it if disabled. > Supporting removal of libselinux would just mean that those > applications would first dlopen() libselinux (vs. direct calls to the > libselinux functions, which create the current fixed link-time > dependency) and fall back to the selinux-disabled code path if > libselinux isn't present. But in both cases, you are relying on the > application code to follow the right branch and to truly skip all > SELinux processing when selinux isn't enabled / libselinux isn't > present. It might make a difference in terms of code bloat (although > libselinux isn't that big and you are trading off runtime performance > for the dlopen), but it doesn't change the trust issues. For some people, having it running certainly causes a performance loss. Whether that's down to SELinux, itself, or the logging, I've not experimented with. -- (Currently testing FC5, but still running FC4, if that's important.) Don't send private replies to my address, the mailbox is ignored. I read messages from the public lists.
