Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 30

Thread: The Cost of SELinux, Audit, & Kernel Debugging

  1. #11
    Join Date
    Jul 2009
    Posts
    351

    Default

    The 11th Commandment: Thou shalt not create a graph without reading and understanding "The Visual Display of Quantitative Information" by Edward Tufte.

  2. #12
    Join Date
    Jun 2009
    Posts
    23

    Default

    the cost of SELinux is not eliminated by just disabling it at boot time. there is a noticable cost to have it compiled into the kernel, even if it's not used. so it would be good to see a different kernel compiled with all the same options except for selinux

    In addition, all the Fedora binaries involve selinux libraries in userspace, and just linking in these libraries can impact performance (there was an interesting discussion a couple weeks ago on the git mailing list about performance issues with one of the tools, and part of the problem was that on some distros with selinux there were many additional libraries being loaded.

    unfortunantly testing this with a fully cleaned userspace involves recompiling a lot of the system (potentially including glibc). the only distro that I know of that makes this sort of testing relativly easy is gentoo.

  3. #13
    Join Date
    Aug 2008
    Location
    Finland
    Posts
    1,567

    Default

    Quote Originally Posted by dlang View Post
    unfortunantly testing this with a fully cleaned userspace involves recompiling a lot of the system (potentially including glibc). the only distro that I know of that makes this sort of testing relativly easy is gentoo.
    Although it's time-consuming even in Gentoo.

  4. #14
    Join Date
    Jul 2009
    Posts
    351

    Default

    Quote Originally Posted by dlang View Post
    the cost of SELinux is not eliminated by just disabling it at boot time. there is a noticable cost to have it compiled into the kernel, even if it's not used. so it would be good to see a different kernel compiled with all the same options except for selinux

    In addition, all the Fedora binaries involve selinux libraries in userspace, and just linking in these libraries can impact performance (there was an interesting discussion a couple weeks ago on the git mailing list about performance issues with one of the tools, and part of the problem was that on some distros with selinux there were many additional libraries being loaded.

    unfortunantly testing this with a fully cleaned userspace involves recompiling a lot of the system (potentially including glibc). the only distro that I know of that makes this sort of testing relativly easy is gentoo.
    When you consider the pain and time involved, you'd have to use it for years before it paid off. Look at those graphs, we are talking about a couple of percent. How much is your time worth? Even on a server you would be better off investing in faster hardware to overcome the performance difference.

  5. #15
    Join Date
    Aug 2008
    Location
    Finland
    Posts
    1,567

    Default

    Quote Originally Posted by frantaylor View Post
    When you consider the pain and time involved, you'd have to use it for years before it paid off. Look at those graphs, we are talking about a couple of percent. How much is your time worth? Even on a server you would be better off investing in faster hardware to overcome the performance difference.
    Plus on a server you would probably actually appreciate the security more than a slight increase of performance.

  6. #16
    Join Date
    Jun 2009
    Posts
    23

    Default

    Quote Originally Posted by frantaylor View Post
    When you consider the pain and time involved, you'd have to use it for years before it paid off. Look at those graphs, we are talking about a couple of percent. How much is your time worth? Even on a server you would be better off investing in faster hardware to overcome the performance difference.
    sometimes you cannot buy a faster server.

    the initial point I was making is that this wasn't really a comparison between a SELinux system and a non-SELinux system. it was a comparison between a SELinux system and a SELinux system with checks disabled, but with all the other overhead, so the difference would be larger than this benchmark shows

    as for how much of a pain it is to do, that depends on where you start. if you start with a SELinux enabled distro and recompile everything to disable SELinux it will take a long time.

    if you start with a distro that doesn't have SELinux in it, you are basicly done (although I seill see benifits in doing custom kernel compiles to disable everything I don't need. among other things this means that my systems are immune to the null bug discovered today)

    also, the benifit depends on how many servers you are running while the cost of setting it up is relativly fixed.

  7. #17
    Join Date
    Jun 2008
    Posts
    197

    Default

    Quote Originally Posted by frantaylor View Post
    This is an EXCELLENT benchmark article!!!

    I have always wondered about this.
    I'm sorry to burst your bubble, but the test methodology is seriously flawed.

    The "No SELinux or Audit" was obtained when both SELinux and Audit were disabled at boot-time, but besides that was the same configuration as "Stock".
    The userspace libraries are still intercepting every damn call regardless of selinux being disabled in the kernel or not.

    The only way to test performance without selinux, is to actually have a filesystem that has no dependency on libselinux.so

    And thus using Fedora makes the results invalid.

    Phoronix FAIL

  8. #18
    Join Date
    Oct 2007
    Location
    Toronto-ish
    Posts
    7,281

    Default

    What would you recommend ?

  9. #19
    Join Date
    Jun 2008
    Posts
    197

    Default

    Quote Originally Posted by bridgman View Post
    What would you recommend ?
    Well for a start you'd have to have a rootfs that does not need libselinux and friends. Which today means you'd have to build it yourself since everyone is linking glibc with libselinux.

  10. #20
    Join Date
    Aug 2008
    Location
    Finland
    Posts
    1,567

    Default

    Technically you could probably create a distro out of Fedora that wouldn't have SELinux at all but I doubt it'd be Fedora anymore then since it might involve a lot of packaging changes. :3

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •