On Thu, 2005-05-26 at 01:28 -0400, Valdis.Kletnieks@private wrote: > When you're a state agency, you get audited by whoever shows up from the state > capitol. We don't get the luxury of choosing who. And these auditors would actually mandate you use "chroot"? Just like that? I'm sure if they questioned you about it you could describe how SELinux replaces it. > I'd *love* to see you get an SELinux-based solution that can get anywhere > near that for speed, slab usage, or stack usage. ;) You could write vtkit_follow_link in i386 assembler too...the question is, was the SELinux-based solution actually a bottleneck for system performance? > I have to protect one undergrad from another, on an older Dell system that has > a 700mz processor and 128M of memory. And at 128M, the fact that you *could* > trim SELinux from 17M of slab space down to 8M still doesn't compare well with > another "good enough" solution that gets the job done in under 1K. Ok, this is a more reasonable argument. Does the strict policy really require 17M of kernel memory (that's nonpageable?). Stephen/James, is there a way SELinux memory usage could be reduced for relatively simple policies like this? Besides older machines, once Xen is widely deployed it will be valuable to reduce kernel memory usage so that more virtual instances can be deployed on the same machine.
This archive was generated by hypermail 2.1.3 : Wed May 25 2005 - 22:46:29 PDT