selinux and udev ?
Stephen Smalley
sds at tycho.nsa.gov
Tue Nov 29 16:51:59 UTC 2005
On Tue, 2005-11-29 at 11:48 -0500, Stephen Smalley wrote:
> On Tue, 2005-11-29 at 08:20 -0800, Tom London wrote:
> > There are reports in fedora-test about the 2.X policy slowing down
> > udev. (Appears that folks are comparing booting with selinxux=1 with
> > selinux=0).
> >
> > I have to admit that udev is running slower (targeted/enforcing).
> >
> > Any validity to this? Known issue? How to track down?
>
> First, check whether you have any avc denials associated with udev in
> your audit.log.
>
> If not, then the slowdown is likely in matchpathcon(3), used to match a
> path against the file_contexts configuration to obtain a security
> context to apply to the device node. Could be a result of:
> - differences in the file_contexts configurations between reference
> policy and the original targeted policy (ordering, regex stem lengths,
> regex complexity, number of entries, ...),
> - the introduction of context canonicalization into matchpathcon(3) to
> avoid problems with type aliases (in which case it shouldn't be
> different between reference policy and the original targeted policy,
> just between old libselinux/kernel versus newer libselinux/kernel
> combination - you need both a recent libselinux and a recent kernel to
> have the canonicalization support enabled).
Random thought: As udev only manages devices, why not run file_contexts
through a filter to extract /dev entries at policy build time, saving
the result as a file_contexts.dev file, and have udev use
matchpathcon_init() to select that file for its matching. That would
then avoid having to process the entire file contexts configuration for
udev.
--
Stephen Smalley
National Security Agency
More information about the selinux
mailing list