On Tue, 2005-11-29 at 11:48 -0500, Stephen Smalley wrote:
On Tue, 2005-11-29 at 08:20 -0800, Tom London wrote:
There are reports in fedora-test about the 2.X policy slowing down udev. (Appears that folks are comparing booting with selinxux=1 with selinux=0).
I have to admit that udev is running slower (targeted/enforcing).
Any validity to this? Known issue? How to track down?
First, check whether you have any avc denials associated with udev in your audit.log.
If not, then the slowdown is likely in matchpathcon(3), used to match a path against the file_contexts configuration to obtain a security context to apply to the device node. Could be a result of:
- differences in the file_contexts configurations between reference
policy and the original targeted policy (ordering, regex stem lengths, regex complexity, number of entries, ...),
- the introduction of context canonicalization into matchpathcon(3) to
avoid problems with type aliases (in which case it shouldn't be different between reference policy and the original targeted policy, just between old libselinux/kernel versus newer libselinux/kernel combination - you need both a recent libselinux and a recent kernel to have the canonicalization support enabled).
Random thought: As udev only manages devices, why not run file_contexts through a filter to extract /dev entries at policy build time, saving the result as a file_contexts.dev file, and have udev use matchpathcon_init() to select that file for its matching. That would then avoid having to process the entire file contexts configuration for udev.