FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Development

 
 
LinkBack Thread Tools
 
Old 04-02-2008, 11:40 PM
Harald Hoyer
 
Default Summary of my Fedora 9 Boot Time Testing

Steve Grubb wrote:

On Wednesday 02 April 2008 10:12:59 Harald Hoyer wrote:

Turning off selinux and related services saves 10s overall boot time.
Trading off security with boot time. I don't know. But maybe a good
starting point for optimization.


Programs linked with libselinux open and parse /etc/selinux/config whether
they need it or not. I've submitted a patch several times (but its not been
accepted) to do a lazy init of libselinux's internal variables. For example,
mv, cp. & ls read the file even if they do not need it. I wonder if doing
lazy init helps any. I'll see if I can update the patch to current code.


-Steve


you may share the patch after the update (-: , so that I can measure, how much effect it has on my system…

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 04-04-2008, 10:14 AM
Harald Hoyer
 
Default Summary of my Fedora 9 Boot Time Testing

Harald Hoyer wrote:
Turning off selinux and related services saves 10s overall boot time.
Trading off security with boot time. I don't know. But maybe a good
starting point for optimization.


Boot time:
35s without selinux and without auditd
40s with selinux + auditd + restorecond
45s with selinux + auditd + restorecond + setroubleshootd

I can live without setroubleshootd..

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 04-04-2008, 11:31 AM
Tomas Mraz
 
Default Summary of my Fedora 9 Boot Time Testing

On Fri, 2008-04-04 at 12:14 +0200, Harald Hoyer wrote:
> Harald Hoyer wrote:
> > Turning off selinux and related services saves 10s overall boot time.
> > Trading off security with boot time. I don't know. But maybe a good
> > starting point for optimization.
>
> Boot time:
> 35s without selinux and without auditd
> 40s with selinux + auditd + restorecond
> 45s with selinux + auditd + restorecond + setroubleshootd
>
> I can live without setroubleshootd..
Setroubleshootd should be made to start up on demand when an AVC is
generated or it should be split to two parts - a lightweight listener
for AVCs + heavy analyzer part which would be executed only on demand.
>From the boot charts it is clear that it is one of the most resource
hungry things in the boot sequence.
--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
Turkish proverb

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 04-04-2008, 11:52 AM
Harald Hoyer
 
Default Summary of my Fedora 9 Boot Time Testing

Harald Hoyer wrote:

Harald Hoyer wrote:
Turning off selinux and related services saves 10s overall boot time.
Trading off security with boot time. I don't know. But maybe a good
starting point for optimization.


Boot time:
35s without selinux and without auditd
40s with selinux + auditd + restorecond
45s with selinux + auditd + restorecond + setroubleshootd

I can live without setroubleshootd..



or

$ cat /etc/event.d/setroubleshootd
# setroubleshoot
#
# Starts setroubleshoot
#
#
start on stopped rc5

stop on runlevel [!5]

script
/bin/sleep 60
exec /usr/sbin/setroubleshootd -f
end script

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 04-04-2008, 08:24 PM
Stephen Smalley
 
Default Summary of my Fedora 9 Boot Time Testing

On Fri, 2008-04-04 at 12:14 +0200, Harald Hoyer wrote:
> Harald Hoyer wrote:
> > Turning off selinux and related services saves 10s overall boot time.
> > Trading off security with boot time. I don't know. But maybe a good
> > starting point for optimization.
>
> Boot time:
> 35s without selinux and without auditd
> 40s with selinux + auditd + restorecond
> 45s with selinux + auditd + restorecond + setroubleshootd
>
> I can live without setroubleshootd..

auditd and restorecond are also optional for selinux. mcstransd should
be optional as well for selinux. None of them existed originally for
selinux; they are all later add-ons.

In the absence of auditd, SELinux avc messages just go
to /var/log/messages instead.

In the absence of restorecond, you might find certain files will be left
mislabeled when re-created, although usually that gets covered
automatically by policy. But you can always restorecon them by hand as
needed.

In the absence of mcstransd, the MCS/MLS label component (:s0) will be
visible and you won't have mapping support for translating categories to
more meaningful names. But you don't really need it if not using
categories for anything.

--
Stephen Smalley
National Security Agency

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 

Thread Tools




All times are GMT. The time now is 01:45 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org