The 11th Commandment: Thou shalt not create a graph without reading and understanding "The Visual Display of Quantitative Information" by Edward Tufte.
Announcement
Collapse
No announcement yet.
The Cost of SELinux, Audit, & Kernel Debugging
Collapse
X
-
the cost of SELinux is not eliminated by just disabling it at boot time. there is a noticable cost to have it compiled into the kernel, even if it's not used. so it would be good to see a different kernel compiled with all the same options except for selinux
In addition, all the Fedora binaries involve selinux libraries in userspace, and just linking in these libraries can impact performance (there was an interesting discussion a couple weeks ago on the git mailing list about performance issues with one of the tools, and part of the problem was that on some distros with selinux there were many additional libraries being loaded.
unfortunantly testing this with a fully cleaned userspace involves recompiling a lot of the system (potentially including glibc). the only distro that I know of that makes this sort of testing relativly easy is gentoo.
Comment
-
Originally posted by dlang View Postunfortunantly testing this with a fully cleaned userspace involves recompiling a lot of the system (potentially including glibc). the only distro that I know of that makes this sort of testing relativly easy is gentoo.
Comment
-
Originally posted by dlang View Postthe cost of SELinux is not eliminated by just disabling it at boot time. there is a noticable cost to have it compiled into the kernel, even if it's not used. so it would be good to see a different kernel compiled with all the same options except for selinux
In addition, all the Fedora binaries involve selinux libraries in userspace, and just linking in these libraries can impact performance (there was an interesting discussion a couple weeks ago on the git mailing list about performance issues with one of the tools, and part of the problem was that on some distros with selinux there were many additional libraries being loaded.
unfortunantly testing this with a fully cleaned userspace involves recompiling a lot of the system (potentially including glibc). the only distro that I know of that makes this sort of testing relativly easy is gentoo.
Comment
-
Originally posted by frantaylor View PostWhen you consider the pain and time involved, you'd have to use it for years before it paid off. Look at those graphs, we are talking about a couple of percent. How much is your time worth? Even on a server you would be better off investing in faster hardware to overcome the performance difference.
Comment
-
Originally posted by frantaylor View PostWhen you consider the pain and time involved, you'd have to use it for years before it paid off. Look at those graphs, we are talking about a couple of percent. How much is your time worth? Even on a server you would be better off investing in faster hardware to overcome the performance difference.
the initial point I was making is that this wasn't really a comparison between a SELinux system and a non-SELinux system. it was a comparison between a SELinux system and a SELinux system with checks disabled, but with all the other overhead, so the difference would be larger than this benchmark shows
as for how much of a pain it is to do, that depends on where you start. if you start with a SELinux enabled distro and recompile everything to disable SELinux it will take a long time.
if you start with a distro that doesn't have SELinux in it, you are basicly done (although I seill see benifits in doing custom kernel compiles to disable everything I don't need. among other things this means that my systems are immune to the null bug discovered today)
also, the benifit depends on how many servers you are running while the cost of setting it up is relativly fixed.
Comment
-
Originally posted by frantaylor View PostThis is an EXCELLENT benchmark article!!!
I have always wondered about this.
The "No SELinux or Audit" was obtained when both SELinux and Audit were disabled at boot-time, but besides that was the same configuration as "Stock".
The only way to test performance without selinux, is to actually have a filesystem that has no dependency on libselinux.so
And thus using Fedora makes the results invalid.
Phoronix FAIL
Comment
Comment