Linked by Thom Holwerda on Wed 5th Mar 2008 09:43 UTC, submitted by diegocg
Sun Solaris, OpenSolaris "OpenSolaris has launched a new project, Flexible Mandatory Access Control, to integrate the Flask/TE security scheme into their OS. This is the same underlying model implemented by SELinux, and follows other cross-platform Flask/TE integration projects such as SEDarwin and SEBSD. This is very exciting in terms of establishing compatible security across operating systems, particularly for Mandatory Access Control, which has traditionally been narrowly focused and generally incompatible. With FMAC, we're closer to seeing truly ubiquitous, cross-platform MAC security."
Thread beginning with comment 303501
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE[6]: Trusted Solaris?
by sbergman27 on Wed 5th Mar 2008 15:38 UTC in reply to "RE[5]: Trusted Solaris?"
sbergman27
Member since:
2005-07-24

The patch and those numbers were in the very same email so the poster knew of the effort to address it. Linux 2.6.24 has those patches so the performance issue is now addressed.


Which is why I mentioned that things were supposed to be better in 2.6.24 in my post. Why so defensive? Why is it that one cannot point out problems, costs, and limitations of SELinux without drawing such ire?

Anyway, I'll also point out that no current production distro has these patches, and that RHEL will likely not have them for about a year.

The Fedora Core 5 SELinux FAQ (the latest available) claims a 7% penalty overall (presumably for x86) but notes that the benchmark was old and that the overhead had probably increased due to changes in networking code. It is fair to say that as of now, and stretching back the last few years, SELinux exacts, and has exacted, a significant performance penalty. And that's not even considering the fact that when I log into my Fedora 8 desktop with SELinux enabled, the 3rd largest consumer of memory on the system is sealert.

I wish SELinux advocates would be a little more candid about the true costs of SELinux, rather than admitting to issues only after there is a fix available.

Edited 2008-03-05 15:49 UTC

Reply Parent Score: 2