On Mon, 2007-01-22 at 09:29 -0500, Stephen Smalley wrote: > On Fri, 2007-01-19 at 20:10 -0500, Lyvim Xaphir wrote: > > On Sat, 2007-01-20 at 08:21 +1030, Tim wrote: > > > Tim: > > > >> For some people, having it running certainly causes a performance > > > >> loss. Whether that's down to SELinux, itself, or the logging, I've > > > >> not experimented with. > > > > > > Lyvim Xaphir: > > > > Have you been able to get around the lag with selinux=0? > > > > > > Not that I want to be rude, but what other method do you think I used to > > > determine it was faster without SELinux? > > > > > > SElinux has three modes; enforcing (or "active"), warning (or > > "permissive") and "disabled". From what you wrote here I glean that > > you've only compared "active" with "disabled", the two modes you are > > familiar with. My question was really directed at getting to know if > > you had touched on permissive mode with regards to performance. I just > > "assumed" that you would know that, which was my error. > > Permissive mode shouldn't be any different than enforcing mode wrt > performance, aside from possible differences in what audit messages get > generated and the resulting load on the audit system. > > > I understand that "echo 0 > /selinux/enforce" switches an active > > "enforcing" system to permissive mode, and "echo 1 > /selinux/disable" > > is supposed to be equivalent to disabled entirely. I was also thinking > > that it would be interesting to observe how SElinux behaves with regard > > to performance when the echo method is used to disable, as compared to > > selinux=0. Just for the heck of it. Yes I know they are supposed to be > > the same, but still experimental verification couldn't hurt. > > selinux=0 is better since it can be detected by SELinux immediately > during initialization and preclude any registration of hooks or > allocation of memory by SELinux. /selinux/disable has to retroactively > unregister the hooks. Of course, in the end, both should yield the same > runtime performance since the hooks are no longer registered, but there > could be slight variances. > > -- > Stephen Smalley > National Security Agency I got this red button from Staples for Christmas, with "easy" on the top of it. Here, let me press it... "that was easy" :) LX -- °°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°° Off Topic or Political Discussions: http://mandrakeot.mdw1982.com/ http://www.mdw1982.com/mailman/listinfo/mandrakeot "Character is what you do when nobody's looking." - J.C. Watts °°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°
