Announcement

Collapse
No announcement yet.

Does SELinux Have Much Of A Performance Impact On Fedora 23?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • #21
    Originally posted by Creak View Post

    Every time I install Fedora Workstation + the proprietary stuff that makes my machine enjoyable (flash, Steam, codecs, ...), I end up disabling SELinux.
    I've seen the video about "SELinux for mere mortals", but I still think SELinux should be disabled for the Workstation spin. It's just incompatible with casual desktop everyday use, it simply does not work out-of-the-box and pretty much need to have sysadmins skills to fix the ever happening problems.
    I can't say I've tried Steam on Fedora, but Flash, proprietary codecs (well, MP3 anyway), and even Wine, along with everything else I do on Workstation works fine with SELinux enabled. I can't say I ever had a problem with it on Workstation.

    On Fedora Server, I ran into a minor snag while trying to figure out something with nginx, but that was fixed by enabling a specific SELinux boolean. Aside from that one scenario, all the rest of my servers run without any issue with SELinux.

    If SELinux is blocking things, could it be possible there's a good reason for it to be doing so?

    Edit: Let's Encrypt's standalone HTTP auth thing is the one thing that I disable SELinux for, but that's only because I'm too lazy to just figure out the correct boolean(s) to enable for it to work properly.

    Edit2: Should also note that SELinux causing issues with proprietary stuff outside of Fedora's repos is unlikely at all to be cared about by Fedora developers.
    Last edited by Guest; 16 December 2015, 07:05 PM.

    Comment


    • #22
      Originally posted by Creak View Post

      Every time I install Fedora Workstation + the proprietary stuff that makes my machine enjoyable (flash, Steam, codecs, ...), I end up disabling SELinux.
      I've seen the video about "SELinux for mere mortals", but I still think SELinux should be disabled for the Workstation spin. It's just incompatible with casual desktop everyday use, it simply does not work out-of-the-box and pretty much need to have sysadmins skills to fix the ever happening problems.
      It does work "out of the box." If it isn't working for you then you did something that wasn't in the box, such as installing software from RPMFusion.

      Also, Fedora has had a quite helpful GUI tool that pops up when SELinux denies something. It offers suggestions that are often useful.

      Comment


      • #23
        Originally posted by Zan Lynx View Post

        It does work "out of the box." If it isn't working for you then you did something that wasn't in the box, such as installing software from RPMFusion.

        Also, Fedora has had a quite helpful GUI tool that pops up when SELinux denies something. It offers suggestions that are often useful.
        Sorry, I misused "out of the box", I meant that once you installed all the thing that makes Fedora usable for any multimedia activities (and that includes RPMFusion), then SELinux starts to whine. And the way to fix these kind of problems is way out of scope for the average user. I mean, even me, and I consider myself an advanced user, don't want to find the time to fix that. I do lots of stuff with my PC, from browsing the web to programming in C++, but I'm not a sysadmin and don't specially want to become one.

        I know it's not crazy difficult, but it's boring as hell to find the fix for each and every little problem of SELinux. Personnally, I really like Fedora, but I can't advise it to someone mainly because of that. I don't want to be their sysadmins neither.
        Last edited by Creak; 17 December 2015, 10:14 AM.

        Comment


        • #24
          Originally posted by hoohoo View Post
          Selinux was written by the NSA. I do not trust it.
          Cool story, but missing the most important part;
          IF the NSA could get deep enough into your machine where they could actually MAKE USE of a backdoor into selinux, then you are no more at risk than by not running selinux at all. It isn't opening a hole in your firewall, or letting them decrypt your encrypted communication. Its just blocking access to resources based on a policy, but you need to already be in far enough that you would be able to access those resources were it not for selinux.

          Comment


          • #25
            Originally posted by cjcox View Post
            Selinux was written by the NSA. Therefore it is not well understood.
            The fact that YOU don't understand it DOES NOT mean that people YOU TRUST also don't understand it.

            Comment


            • #26
              Originally posted by droidhacker View Post

              The fact that YOU don't understand it DOES NOT mean that people YOU TRUST also don't understand it.
              Nor does it mean the people I trust DO understand it.

              NSA considers it's job to be to break into every computer it can possibly break in to, regardless of any actual need to do so. NSA is on record that it believes it needs to record everything just in case it needs to posthumously (if you will) investigate some unknown thing that some unknown person might have done at some time.

              It's not even useful to say "If you have nothing to hide, why are you worried about being surveilled?" because what you might have to hide constantly changes whenever the NSA changes it's definition of what the "threat" is - and the definition of the threat is itself hidden from us.

              And, NSA, employing some of the smartest computer people in the world, has a tens of thousands (or so) lines of code in the kernel that manage access to resources at the kernel level.

              Where exactly does this fail to compute for you?
              Last edited by hoohoo; 19 December 2015, 12:05 AM. Reason: "it's job to break" -> "it's job to be to break"

              Comment


              • #27
                Originally posted by droidhacker View Post

                Cool story, but missing the most important part;
                IF the NSA could get deep enough into your machine where they could actually MAKE USE of a backdoor into selinux, then you are no more at risk than by not running selinux at all. It isn't opening a hole in your firewall, or letting them decrypt your encrypted communication. Its just blocking access to resources based on a policy, but you need to already be in far enough that you would be able to access those resources were it not for selinux.
                Look at kernel module exploits. Well written ones are almost undetectable from within the infected computer. You might be able to detect one by monitoring network traffic with a very well protected packet sniffer box, but this requires time and money and expertise.

                Nah, F that line of argument. I'll quote you instead: "IF the NSA could get deep enough into your machine where they could actually MAKE USE of a backdoor into selinux, then " ...how exactly did NSA penetrate the networks and datacenters of Google, Facebook, Amazon and Microsoft for periods of months and years until Snowden made that public, BUT THESE MEGACORPS WERE NONE THE WISER?

                If you think you can out-do the likes of those victims on your own, more power to you. But I think you are deluded.
                Last edited by hoohoo; 18 December 2015, 11:51 PM. Reason: misspelled "line"

                Comment


                • #28
                  Originally posted by droidhacker View Post

                  Cool story, but missing the most important part;
                  IF the NSA could get deep enough into your machine where they could actually MAKE USE of a backdoor into selinux, then you are no more at risk than by not running selinux at all. It isn't opening a hole in your firewall, or letting them decrypt your encrypted communication. Its just blocking access to resources based on a policy, but you need to already be in far enough that you would be able to access those resources were it not for selinux.
                  Linux firewalls and decent 3rd party (your wifi gateway type products that sit between your ADSL or cable and your home LAN) firewall, probably any useful firewall, allow bi-directional communication on outbound-origin connections. Exploiting a backdoor does not have to require answering inbound unsolicited packets: just have the exploit code in the infected kernel initiate the communication. This is how most botnets work: the botmaster does not call the bots, the bots call the botmaster.

                  As for encryption: if it can be read on your screen then it is unencrypted in RAM in your PC, and is accessible to the kernel. That is, unless AMD and NV have implemented encrypted GPU RAM when I was not looking?
                  Last edited by hoohoo; 19 December 2015, 12:02 AM. Reason: Added the bit about encryption

                  Comment


                  • #29
                    SELinux is a file labeling system, what affects performance is mostly file access. Measuring things like GPU or CPU or even block-level access (database) is not what you want to do. Most of the tests (if not all) were not appropriate, I'd try some random file access, perhaps with many files. For example grep across the whole filesystem. And something that spawns lot of processes.

                    Also, it is very important to measure confined processes as unconfined_t domain may have optimalizations in order to speed things up (e.g. label lookup). If you want to really measure SELinux vs non-SELinux, you need to recompile kernel in order to get the best possible performance I guess.

                    Anyway, thanks for doing this. You are doing great job with these tests in general. And... HNY! :-)

                    ps - for those who hare having issues with SELinux when using _______ (some non-standard app like Skype or Flash) - DO NOT disable whole SELinux, just put the application that does not work into permissive mode with "semanage permissive executable", as easy as that.

                    Comment

                    Working...
                    X