udev slowness and selinux
Stephen Smalley
sds at tycho.nsa.gov
Tue Dec 6 17:23:06 UTC 2005
On Tue, 2005-12-06 at 10:45 -0500, Stephen Smalley wrote:
> Hmmm...I'm still not sure I understand why there has been a recent
> slowdown, as I wouldn't have expected either reference policy or the
> matchpathcon canonicalization to have added that much overhead
> (particularly as we were already validating the contexts). From your
> numbers above, it seems that the canonicalization is adding significant
> overhead, since the canonicalization is performed lazily in libselinux
> 1.27.28, but we still have major overhead remaining.
>
> How exactly are you timing the startup time here, e.g. are you just
> inserting a time command prior to the /sbin/start_udev call in
> rc.sysinit or are you timing the entire sequence including the
> Initializing hardware setup?
>
> udev could/should be changed to call matchpathcon_init_prefix(NULL,
> "/dev") once at startup prior to any matchpathcon() calls to avoid the
> overhead of processing the entire file_contexts configuration. But I'd
> like to get more information on where that time is being spent currently
> as well, so I'd like to know exactly how you are measuring so I can
> reproduce it and then try to profile it.
Part of the slowdown could also be from libsetrans (both on translating
contexts prior to storing them in the spec array and for the translation
that occurs upon the security_canonicalize_context calls). Possibly we
should make the context translation lazy as well, as with the
canonicalization. But the largest savings are likely to come from using
matchpathcon_init_prefix() and avoiding processing of many file_contexts
entries altogether.
--
Stephen Smalley
National Security Agency
More information about the fedora-selinux-list
mailing list