On Fri, 2007-09-21 at 10:44 -0500, Mike McCarty wrote: > Matthew Miller wrote: > > On Thu, Sep 20, 2007 at 11:49:41PM -0400, David Boles wrote: > > If you do this, are you still paying the performance penalty but with no > > security gain? > > Depends on what you mean by "performance penalty". > One measure of performance is RAM utilization. If SELinux is > built into the distro, then it eats RAM regardless of whether > it be "enforcing". Furthermore, some of the code in it > gets executed, no matter what. What you say is right on the spot. I have a low end (i586) machine which kills itself by running out of memory during selinux-policy updates or relabel actions. Ralf