Linked by Thom Holwerda on Wed 5th Mar 2008 09:43 UTC, submitted by diegocg
Sun Solaris, OpenSolaris "OpenSolaris has launched a new project, Flexible Mandatory Access Control, to integrate the Flask/TE security scheme into their OS. This is the same underlying model implemented by SELinux, and follows other cross-platform Flask/TE integration projects such as SEDarwin and SEBSD. This is very exciting in terms of establishing compatible security across operating systems, particularly for Mandatory Access Control, which has traditionally been narrowly focused and generally incompatible. With FMAC, we're closer to seeing truly ubiquitous, cross-platform MAC security."
Thread beginning with comment 303494
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE[4]: Trusted Solaris?
by Bitterman on Wed 5th Mar 2008 14:35 UTC in reply to "RE[3]: Trusted Solaris?"
Bitterman
Member since:
2005-07-06

woh thanks i had never heard that but i'll take your word for it. that is a pretty bad performance hit. Personally i'll still deal with it cause i want some security infrastructure to get adopted. Open source has way, way too many programs on a machine. I mean look at debians repo's you got 20,000 different applications. That is ALOT of security bugs waiting to be found or already found and being exploited. There needs to be a wrapper in the middle to protect the machine from poor code. Weather it be Selinux or another type of MAC system, or stack protection I dont know or care, but there needs to be something between poor code and free reign of a machine. for now SElinux appears to be the one with the most active development and adoption.

Reply Parent Score: 1

RE[5]: Trusted Solaris?
by Method on Wed 5th Mar 2008 15:20 in reply to "RE[4]: Trusted Solaris?"
Method Member since:
2006-05-15

Those performance numbers came from a developer who made a patch that reduces it down to 1% and 11% (x86 and SH respectively) (http://marc.info/?l=selinux&m=118906566911337&w=2). The patch and those numbers were in the very same email so the poster knew of the effort to address it. Linux 2.6.24 has those patches so the performance issue is now addressed. This specific issue was only on file read/write revalidation.

Edited 2008-03-05 15:29 UTC

Reply Parent Score: 1

RE[6]: Trusted Solaris?
by sbergman27 on Wed 5th Mar 2008 15:38 in reply to "RE[5]: Trusted Solaris?"
sbergman27 Member since:
2005-07-24

The patch and those numbers were in the very same email so the poster knew of the effort to address it. Linux 2.6.24 has those patches so the performance issue is now addressed.


Which is why I mentioned that things were supposed to be better in 2.6.24 in my post. Why so defensive? Why is it that one cannot point out problems, costs, and limitations of SELinux without drawing such ire?

Anyway, I'll also point out that no current production distro has these patches, and that RHEL will likely not have them for about a year.

The Fedora Core 5 SELinux FAQ (the latest available) claims a 7% penalty overall (presumably for x86) but notes that the benchmark was old and that the overhead had probably increased due to changes in networking code. It is fair to say that as of now, and stretching back the last few years, SELinux exacts, and has exacted, a significant performance penalty. And that's not even considering the fact that when I log into my Fedora 8 desktop with SELinux enabled, the 3rd largest consumer of memory on the system is sealert.

I wish SELinux advocates would be a little more candid about the true costs of SELinux, rather than admitting to issues only after there is a fix available.

Edited 2008-03-05 15:49 UTC

Reply Parent Score: 2