[redhat-lspp] Number of level & compartments
Steve Grubb
sgrubb at redhat.com
Tue Sep 20 13:07:40 UTC 2005
On Tuesday 20 September 2005 08:32, Stephen Smalley wrote:
> > So has a huge set of compartments ever been tested? If not, it might be
> > worthwhile to make sure nothing breaks.
>
> There are some limitations imposed by the kernel interfaces (as opposed
> to the internal data structures, which are only limited by memory). The
> xattr API allows for 64k xattrs, so that isn't a concern. However,
> the /proc/pid/attr and selinuxfs interfaces are presently limited to
> page size reads and writes, so you could possibly run up against those
> limitations,
I wonder if there should be checks that prevent configurations that hit that
limit. I think its expected that the user get an error message while setting
up the system, in addition to when using it.
> particularly for selinuxfs interfaces that deal with more
> than a single context. However, given the compact notation being used
> by the kernel (c0,c1,...) and the shorthand form for contiguous sets of
> categories (c0.c127), I wouldn't expect a problem in practice. It would
> take security contexts that included a huge number of individual
> non-contiguous categories to hit the limit.
Is this detectable at compile time or during policy load?
-Steve
More information about the redhat-lspp
mailing list