On Fri, 22 Aug 2003 06:47, Brian Pontz wrote: > > You can use one of the existing access control > > modules (DTE, SELinux, > > ...) to achieve this goal; just assign different > > security types to the > > directories and their files and then define your > > security policy > > configuration accordingly. > > How scalable are those? I'm talking 100K plus > directories I need to do this for. As Steve mentioned you can solve your stated requirements with two rules. However if you did need to have separate types for each of the 100K directories it still wouldn't be a problem. I've run 20,000 rules on a PDA and 100,000 rules on a laptop (*). SE Linux seems to scale reasonably well. I have heard rumors of people having 500,000 rules in a SE Linux system and not finding any problems. I've done experiments with 300,000 rules. I have never tried to push it as far as possible and see if it breaks though. I probably should setup a system with a few million rules and see what happens. ;) (*) The rules were for a policy based on the sample policy which does many other things than control access to executing files. But I don't imagine that rules specifying which of the hundreds of potential actions each daemon may be permitted to take is any more or less difficult at the kernel level than simply determining directory/file access. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Thu Aug 21 2003 - 21:14:28 PDT