On Fri, 09 Jan 2004 11:28:50 +0530, "Aditya [ Aditya Lalit Deshmukh ]" <aditya_at_online.gateway.technolabs.net> said:
> this would be a very bad idea as any kernel level programmer will tell you
> that every 'if' takes time for comparison and you will be doing that every time
> for evry file access and parsing through a list of datastructs and other stuff
> that would possibally will make the system very slow for any "real world" use
Odd, I'm running SELinux, which calls a hook on most system calls, and the slowdown
isn't noticable. On the other hand, much thought went into work on optimizing
the speed (hint 1: a linear search through a list is NOT the way to do it).
The problem is that properly defining all the security contexts is tricky - for
instance, you may want to make "which filenames are bad" depend on the program.
There's places in the filesystem you want /bin/ls to be able to look but you
don't want /bin/passwd to be looking.
The policy.conf file for the SELinux on my laptop is 55,000+ lines long. And
that's the REAL issue - trying to describe the security policy for a production
system....
- application/pgp-signature attachment: stored
Received on Jan 10 2004
Intro
