Security Enhanced Linux
What's New
Frequently Asked Questions
Background
Documents
License
Download
Participating
Mail List
Archives
Remaining Work
Contributors
Related Work
Press Releases
Information Assurance Research
NIARL In-house Research Areas
Mathematical Sciences Program
Sabbaticals
Computer & Information Sciences Research
Technology Transfer
Advanced Computing
Advanced Mathematics
Communications & Networking
Information Processing
Microelectronics
Other Technologies
Technology Fact Sheets
Publications
Related Links
|
SELinux Mailing List
subject: SELinux policy and performance impacts Date: Thu, 07 Aug 2008 19:13:40 -0400
I was wondering if anyone knows of any types of policy rules that when loaded into the kernel are particularly detrimental to system performance. My understanding is that all policy rules are treated equally once they've been compiled to binary, but I wanted to ask here first in order to confirm that.
Thanks
-- subject: Re: SELinux policy and performance impacts Date: Fri, 8 Aug 2008 10:03:02 +1000 (EST)
> I'm currently looking into the performance impact of SELinux. Most of what I Yes, all access rules are applied in a standard form with decisions cached in the AVC. There were some network permissions which had to do a full policydb lookup on each packet to determine the label to use, but these are also now cached (although will still incur some overhead). Auditing will introduce overhead (not all accesses are audited). Probably the best place to start to understand how this works is to look at avc_has_perm() in the kernel code, and also look at /selinux/avc . I suspect the largest overhead will be in the hook logic for various operations (e.g. look at the size of inode_doinit_with_dentry()) rather than the AVC lookup.
-- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.From: Paul Moore <paul.moore_at_hp.com> subject: Re: SELinux policy and performance impacts Date: Fri, 8 Aug 2008 10:15:19 -0400
As an FYI, you'll want 2.6.26 to get the all of the cached network permissions; 2.6.25 added interface and node caches, 2.6.26 added port caches. If you are looking at network performance as part of this you will want to make sure compat_net is disabled, i.e. use Secmark. Ideally you would also enable the new network_peer_controls policy capability but I don't think we have that enabled by default just yet, needs more testing I believe. -- paul moore linux @ hp -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.From: Joshua Brindle <method_at_manicmethod.com> subject: Re: SELinux policy and performance impacts Date: Fri, 08 Aug 2008 13:26:43 -0400
>> I'm currently looking into the performance impact of SELinux. Most of what I >> have seen so far involve testing the system's performance with file creation, >> open, and exec, but I was hoping to gather some more data before finalizing >> any conclusions. >> >> I was wondering if anyone knows of any types of policy rules that when loaded >> into the kernel are particularly detrimental to system performance. My >> understanding is that all policy rules are treated equally once they've been >> compiled to binary, but I wanted to ask here first in order to confirm that. > > Yes, all access rules are applied in a standard form with decisions cached > in the AVC. There were some network permissions which had to do a full > policydb lookup on each packet to determine the label to use, but these > are also now cached (although will still incur some overhead). > When the SS originally makes the decision (before its been cached) there is additional overhead on rules and types using attributes. Because of the avtab compression from version 20 the source and target types will be looked up in a reverse mapping to attribute, then each attribute will be looked up in the avtab to get the net access vector. More attributes (within reason) means less memory usage and more lookup overhead. For tests that repeat the same kinds of accesses over and over this overhead should be reduced to nothing by the AVC, however.
> Auditing will introduce overhead (not all accesses are audited). -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.From: Stephen Smalley <sds_at_tycho.nsa.gov> subject: Re: SELinux policy and performance impacts Date: Thu, 14 Aug 2008 12:30:19 -0400
On Thu, 2008-08-07 at 19:13 -0400, Matt Anderson wrote:
In addition to other points raised in this thread, note that using larger inodes (as done by default in F9) should yield a significant improvement in file benchmarks by keeping the SELinux security context inline within the inodes rather than in separate data blocks. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.
|
|
Date Posted: Jan 15, 2009 | Last Modified: Jan 15, 2009 | Last Reviewed: Jan 15, 2009 |