On Fri, 2007-01-19 at 20:10 -0500, Lyvim Xaphir wrote: > On Sat, 2007-01-20 at 08:21 +1030, Tim wrote: > > Tim: > > >> For some people, having it running certainly causes a performance > > >> loss. Whether that's down to SELinux, itself, or the logging, I've > > >> not experimented with. > > > > Lyvim Xaphir: > > > Have you been able to get around the lag with selinux=0? > > > > Not that I want to be rude, but what other method do you think I used to > > determine it was faster without SELinux? > > > SElinux has three modes; enforcing (or "active"), warning (or > "permissive") and "disabled". From what you wrote here I glean that > you've only compared "active" with "disabled", the two modes you are > familiar with. My question was really directed at getting to know if > you had touched on permissive mode with regards to performance. I just > "assumed" that you would know that, which was my error. Permissive mode shouldn't be any different than enforcing mode wrt performance, aside from possible differences in what audit messages get generated and the resulting load on the audit system. > I understand that "echo 0 > /selinux/enforce" switches an active > "enforcing" system to permissive mode, and "echo 1 > /selinux/disable" > is supposed to be equivalent to disabled entirely. I was also thinking > that it would be interesting to observe how SElinux behaves with regard > to performance when the echo method is used to disable, as compared to > selinux=0. Just for the heck of it. Yes I know they are supposed to be > the same, but still experimental verification couldn't hurt. selinux=0 is better since it can be detected by SELinux immediately during initialization and preclude any registration of hooks or allocation of memory by SELinux. /selinux/disable has to retroactively unregister the hooks. Of course, in the end, both should yield the same runtime performance since the hooks are no longer registered, but there could be slight variances. -- Stephen Smalley National Security Agency
