[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: [kay.sievers@vrfy.org]

From: Stephen Smalley <sds tycho nsa gov>
To: Daniel J Walsh <dwalsh redhat com>
Cc: fedora-selinux-list redhat com, Bill Nottingham <notting redhat com>
Subject: Re: [kay.sievers@vrfy.org]
Date: Mon, 06 Feb 2006 13:35:35 -0500

On Mon, 2006-02-06 at 13:15 -0500, Daniel J Walsh wrote:
> How about if we changed the call to
>         if ( mode & S_IFBLK ) {
>             media = get_media(devname, mode);
>             if (media) {
>                 ret = matchmediacon(media, &scontext);
>                 free(media);
>             }
>         }

You already have a test of (mode & S_IFBLK) on entry to get_media, so I
don't see what that buys you.  Still limited to ide devices by get_media
only checking /proc/ide.  I don't think her concern with the media
support was performance, just generality and use of sysfs.  Performance
concern was with selinux_init.

On the performance overhead issue, only real improvement would be to
move all matchpathcon_init+matchpathcon processing into the daemon and
have the daemon pass the required contexts to the event commands on the
command line or via pipe.  

-- 
Stephen Smalley
National Security Agency

References:
- [kay.sievers@vrfy.org]
  - From: Bill Nottingham
- Re: [kay.sievers@vrfy.org]
  - From: Stephen Smalley
- Re: [kay.sievers@vrfy.org]
  - From: Daniel J Walsh

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]