Robert Haas wrote:
Yes, we need '--enable-selinux' to activate all of SE-PostgreSQL features.
In addition, these are invoked via security hooks which are declared
as inline functions. So, I think it does not give us additional loss of
performances when you don't add the compile time option explicitly.
That is good as far as it goes but I assume that if this patch is
accepted many vendors will build with this feature enabled, and many
end-users will turn off SELinux but keep the same binaries. It's
important that those people don't get hosed either.
When we run a binary with this feature on non-SELinux'ed environment,
security hooks simply returns with reference to the flag variable
which shows whether SELinux is available on the host.
It's also probably worth asking what the performance penalty is when
you ARE using all the bells and whistles.
Are you saying the performance penalty when full functionalities are enabled?
(The meaning of "bells and whistles" is unclear for me.)
We can show it on the page.22 of my presentation in PGcon2008.
http://www.pgcon.org/2008/schedule/attachments/38_pgcon2008-sepostgresql.pdf
It shows about 10% of penalty in maximum in pgbench, and larger database
tend to have relatively less performance penalty.
Thanks,
--
OSS Platform Development Division, NEC
KaiGai Kohei <[EMAIL PROTECTED]>
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
