The Cost of SELinux, Audit, & Kernel Debugging

**frantaylor** · 08-13-2009, 05:22 PM

The 11th Commandment: Thou shalt not create a graph without reading and understanding "The Visual Display of Quantitative Information" by Edward Tufte.

**dlang** · 08-13-2009, 06:02 PM

the cost of SELinux is not eliminated by just disabling it at boot time. there is a noticable cost to have it compiled into the kernel, even if it's not used. so it would be good to see a different kernel compiled with all the same options except for selinux

In addition, all the Fedora binaries involve selinux libraries in userspace, and just linking in these libraries can impact performance (there was an interesting discussion a couple weeks ago on the git mailing list about performance issues with one of the tools, and part of the problem was that on some distros with selinux there were many additional libraries being loaded.

unfortunantly testing this with a fully cleaned userspace involves recompiling a lot of the system (potentially including glibc). the only distro that I know of that makes this sort of testing relativly easy is gentoo.

**nanonyme** · 08-13-2009, 06:07 PM

Originally Posted by dlang

unfortunantly testing this with a fully cleaned userspace involves recompiling a lot of the system (potentially including glibc). the only distro that I know of that makes this sort of testing relativly easy is gentoo.

Although it's time-consuming even in Gentoo.

**frantaylor** · 08-13-2009, 06:19 PM

Originally Posted by dlang

the cost of SELinux is not eliminated by just disabling it at boot time. there is a noticable cost to have it compiled into the kernel, even if it's not used. so it would be good to see a different kernel compiled with all the same options except for selinux

In addition, all the Fedora binaries involve selinux libraries in userspace, and just linking in these libraries can impact performance (there was an interesting discussion a couple weeks ago on the git mailing list about performance issues with one of the tools, and part of the problem was that on some distros with selinux there were many additional libraries being loaded.

unfortunantly testing this with a fully cleaned userspace involves recompiling a lot of the system (potentially including glibc). the only distro that I know of that makes this sort of testing relativly easy is gentoo.

When you consider the pain and time involved, you'd have to use it for years before it paid off. Look at those graphs, we are talking about a couple of percent. How much is your time worth? Even on a server you would be better off investing in faster hardware to overcome the performance difference.

**nanonyme** · 08-13-2009, 06:21 PM

Originally Posted by frantaylor

When you consider the pain and time involved, you'd have to use it for years before it paid off. Look at those graphs, we are talking about a couple of percent. How much is your time worth? Even on a server you would be better off investing in faster hardware to overcome the performance difference.

Plus on a server you would probably actually appreciate the security more than a slight increase of performance.

**dlang** · 08-13-2009, 07:03 PM

Originally Posted by frantaylor

When you consider the pain and time involved, you'd have to use it for years before it paid off. Look at those graphs, we are talking about a couple of percent. How much is your time worth? Even on a server you would be better off investing in faster hardware to overcome the performance difference.

sometimes you cannot buy a faster server.

the initial point I was making is that this wasn't really a comparison between a SELinux system and a non-SELinux system. it was a comparison between a SELinux system and a SELinux system with checks disabled, but with all the other overhead, so the difference would be larger than this benchmark shows

as for how much of a pain it is to do, that depends on where you start. if you start with a SELinux enabled distro and recompile everything to disable SELinux it will take a long time.

if you start with a distro that doesn't have SELinux in it, you are basicly done (although I seill see benifits in doing custom kernel compiles to disable everything I don't need. among other things this means that my systems are immune to the null bug discovered today)

also, the benifit depends on how many servers you are running while the cost of setting it up is relativly fixed.

**cruiseoveride** · 08-13-2009, 09:18 PM

Originally Posted by frantaylor

This is an EXCELLENT benchmark article!!!

I have always wondered about this.

I'm sorry to burst your bubble, but the test methodology is seriously flawed.

The "No SELinux or Audit" was obtained when both SELinux and Audit were disabled at boot-time, but besides that was the same configuration as "Stock".

The userspace libraries are still intercepting every damn call regardless of selinux being disabled in the kernel or not.

The only way to test performance without selinux, is to actually have a filesystem that has no dependency on libselinux.so

And thus using Fedora makes the results invalid.

Phoronix FAIL

**bridgman** · 08-13-2009, 09:56 PM

What would you recommend ?

**cruiseoveride** · 08-13-2009, 11:48 PM

Originally Posted by bridgman

What would you recommend ?

Well for a start you'd have to have a rootfs that does not need libselinux and friends. Which today means you'd have to build it yourself since everyone is linking glibc with libselinux.

**nanonyme** · 08-14-2009, 06:05 AM

Technically you could probably create a distro out of Fedora that wouldn't have SELinux at all but I doubt it'd be Fedora anymore then since it might involve a lot of packaging changes. :3

Thread: The Cost of SELinux, Audit, & Kernel Debugging

Thread Tools

Search Thread

Display

Posting Permissions