How NSA access was built into Windows
Stephen Smalley
sds at tycho.nsa.gov
Mon Jan 22 18:06:06 UTC 2007
On Mon, 2007-01-22 at 12:49 -0500, Gene Heskett wrote:
> On Monday 22 January 2007 10:13, Stephen Smalley wrote:
> >On Sun, 2007-01-21 at 17:11 -0500, Gene Heskett wrote:
> >> On Sunday 21 January 2007 14:36, Lyvim Xaphir wrote:
> >> >On Sun, 2007-01-21 at 01:14 -0500, R. G. Newbury wrote:
> >> >> David Boles wrote:
> >>
> >> [and I snipped, we have enough trolls under this bridge already]
> >>
> >> Also, to add a bit of fuel to the fire, I just rebuilt my 2.6.20-rc4
> >> again after having found some more selinux stuff in the previous build
> >> that I am now running without.
> >>
> >> 1: Now my logs are clean again.
> >>
> >> 2: It took me 27 minutes to build that selinux free kernel. Now check
> >> this, after having added quite a few usb network related modules as
> >> I'm trying to get into a wap11 via the usb port, which will allow me
> >> to do a reset to factory, something I cannot do from the snmp
> >> interface because that interface requires the old password, something
> >> I've forgotten in the 8 months since I last used this device.
> >>
> >> #> time ./makeit
> >> [snip about 200k of make output]
> >> All done! Edit grub.conf, reboot and chose your kernel at the grub
> >> prompt
> >>
> >> real 8m42.183s
> >> user 4m21.606s
> >> sys 1m11.805s
> >> [root at coyote linux-2.6.20-rc4]#
> >>
> >> Now, I could have done something to speed this system up that's not
> >> related to selinux, but the only things I've done is to rip out the
> >> livna versions of mplayer and mplayerplugin with --nodeps, and put
> >> them back in from dries before they were missed, and then restart
> >> firefox from its own file menu pulldown, (normal quits and re-runs
> >> didn't seem to do it) and now both foxnews and cnn video's now play,
> >> although cnn's videos act like the server is in need of quite a bit
> >> more iron in its diet.
> >>
> >> Now, somebody, preferably Dr. Smalley, please explain to me why I
> >> should run something that takes a 9 minute compile and makes it take
> >> 27 minutes to do it. And the rest of the system just plain feels
> >> snappier.
> >
> >(1) I'm not a PhD.
>
> Oh, I guess I was echoing someone else who made that assumption.
>
> >(2) If SELinux tripled your kernel compile time, then something is
> >terribly wrong with it. I've never seen that kind of overhead in kernel
> >compile benchmarks, not even close. More like a few percent. Please
> >verify that you are using comparable baselines (e.g. same kernel other
> >than selinux options in .config)
>
> The first version of this kernel, 2.6.20-rc4, was a clean build, but
> apparently with pretty close to an allyes config, and no idea how that
> happened. That took 37 minutes on an XP2800 Athlon with a gig of ram.
> The next build, I had gone about halfway down the make xconfig menu
> canceling stuff I knew I didn't need or my mobo didn't support. That
> took 33 minutes to build.
>
> The third time I'd gone through it specificly looking for selinux related
> stuff and turning it off. It was at that point my logs started being
> flooded with those messages I posted, but I found that one of the selinux
> related things in services was still being run so I stopped that and the
> messages went away. That was audit probably but don't make me lay a
> hand on the good book when I say it, too much is going on There was a
> concurrant edit to the crond script in /etc/pam.d also. That build took
> 27 minutes.
>
> Then the 4th time I was trying to get access to a wap11 through its usb
> port so I could reset the password and a few other things & maybe put it
> back to use. So that build actually built more modules than the 3rd one,
> (BTW, that didn't work, and no one answered my question about it here on
> this list. I still had to plug it into my lappy and run the winderz crap
> to do that. Gives me the hives.)
>
> This is the build that took a bit less than 9 minutes. To me the major
> diff there is that this was the first kernel built with a kernel built
> without as much selinux as I could turn off, and rebooted to with
> an 'selinux=0' as an additional argument in the grub kernel command line.
>
> >and tests (are you sure your second
> >build was from a clean state, and was there any other system activity
> >ongoing during either build?). Can you reproduce the result reliably?
>
> I believe I could reboot to 2.6.20-rc3., start all the stopped services
> and then rebuild this kernel I suppose. Seems like a waste of time
> though.. As for 'system activity', fetchmail, procmail, spamassassin
> were all running, and I may have had a session of patience (solitaire)
> running, or browsing the web. Or all of the above, linux does multitask
> you know. :)
>
> I am using ccache though, and its du -b indicates its using about 1.5GB.
> My makeit script does a make clean at the top of it. It does everything
> but edit grub.conf for me, and maintains the old kernel and initrd
> & /lib/modules/$VER in a state that a foobar fix is a matter of deleting
> the new stuff and renaming the old to its original names.
Sounds more like ccache sped up your build than anything selinux
related.
--
Stephen Smalley
National Security Agency
More information about the users
mailing list