On Thu, Jun 23, 2011 at 12:58:22PM +0200, yersinia wrote:
> Perhaps it is of interest to this list that Phonorix has produced a new
> benchmark about the performance impact of SELinux on
> Fedora 15. Look very good
> http://www.phoronix.com/scan.php?page=article&item=fedora_15_selinux&num=2 .

Spoiler: negligible impact in gaming, compression, media conversion,
multithreaded IO, and SQL tests; 5% hit for a mail server and 11% for
a simple web server benchmark.

Since those network services are where SELinux brings a huge benefit, I
think the overal takeaway is "yay SELinux!"

--
Matthew Miller <mattdm@mattdm.org>
Senior Systems Architect -- Instructional & Research Computing Services
Harvard School of Engineering & Applied Sciences
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

On Thu, Jun 23, 2011 at 12:58:22PM +0200, yersinia wrote:
> Perhaps it is of interest to this list that Phonorix has produced a new
> benchmark about the performance impact of SELinux on
> Fedora 15. Look very good
> http://www.phoronix.com/scan.php?page=article&item=fedora_15_selinux&num=2 .

Spoiler: negligible impact in gaming, compression, media conversion,
multithreaded IO, and SQL tests; 5% hit for a mail server and 11% for
a simple web server benchmark.

Since those network services are where SELinux brings a huge benefit, I
think the overal takeaway is "yay SELinux!"

--
Matthew Miller <mattdm@mattdm.org>
Senior Systems Architect -- Instructional & Research Computing Services
Harvard School of Engineering & Applied Sciences
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

On 23/06/11 14:45, Daniel J Walsh wrote:
> On 06/23/2011 08:58 AM, Pádraig Brady wrote:
>> On 23/06/11 12:28, Lennart Poettering wrote:
>>> On Thu, 23.06.11 12:58, yersinia (yersinia.spiros@gmail.com) wrote:
>>>
>>>> Greetings
>>>>
>>>> Perhaps it is of interest to this list that Phonorix has produced a new
>>>> benchmark about the performance impact of SELinux on
>>>> Fedora 15. Look very good
>>>> http://www.phoronix.com/scan.php?page=article&item=fedora_15_selinux&num=2 .
>>>
>>> The biggest impact it has on boot time really. Might be worth measuring that.
>
>> A work colleague here did that a couple of days ago.
>> To boot to a usable desktop with stock F15 with gdm auto login:
>
>> with selinux: 43s
>> without selinux: 24s
>
>> Hardware is pinetrail netbook (1.6GHz Atom N455).
>> 2GB RAM and SSD limited by SATA I interface.

Repeating the above on my F15 sandy bridge i3 laptop
shows a much closer result:

with selinux: 18s
without selinux: 14s

> We have found one problem in libselinux that could account for some of
> the slowdown, but not much, this increases the spead of matchpathcon.
> We have fixed this in F16.
>
> Tests conducted in Rawhide.
>
> systemd reads in policy file and loads it in the kernel.
>
> # du -m /etc/selinux/targeted/policy/policy.26
> 7 /etc/selinux/targeted/policy/policy.26
>
> The load_policy command on my T61 does pretty much the equivalent.
>
> # time load_policy
>
> real 0m7.483s
> user 0m0.000s
> sys 0m2.255s
>
> systemd and udev both load the file_context files and create regexs
> based on these files. matchpathcon does the equivalent.
>
> time matchpathcon /dev
> /dev system_ubject_r:device_t:s0
>
> real 0m0.069s
> user 0m0.012s
> sys 0m0.021s
>
> Obviously this is a more powerful machine then the Atom, but I would
> figure loading of the policy is the culprit.

snb# time matchpathcon /dev
/dev system_ubject_r:device_t:s0

real 0m0.101s
user 0m0.096s
sys 0m0.004s

snb# time load_policy

real 0m1.553s
user 0m0.000s
sys 0m0.483s

atom# time matchpathcon /dev
/dev system_ubject_r:device_t:s0

real 0m1.036s
user 0m1.012s
sys 0m0.019s

atom# time load_policy

about 4s

cheers,
Pádraig.
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

On 23/06/11 14:45, Daniel J Walsh wrote:
> On 06/23/2011 08:58 AM, Pádraig Brady wrote:
>> On 23/06/11 12:28, Lennart Poettering wrote:
>>> On Thu, 23.06.11 12:58, yersinia (yersinia.spiros@gmail.com) wrote:
>>>
>>>> Greetings
>>>>
>>>> Perhaps it is of interest to this list that Phonorix has produced a new
>>>> benchmark about the performance impact of SELinux on
>>>> Fedora 15. Look very good
>>>> http://www.phoronix.com/scan.php?page=article&item=fedora_15_selinux&num=2 .
>>>
>>> The biggest impact it has on boot time really. Might be worth measuring that.
>
>> A work colleague here did that a couple of days ago.
>> To boot to a usable desktop with stock F15 with gdm auto login:
>
>> with selinux: 43s
>> without selinux: 24s
>
>> Hardware is pinetrail netbook (1.6GHz Atom N455).
>> 2GB RAM and SSD limited by SATA I interface.

Repeating the above on my F15 sandy bridge i3 laptop
shows a much closer result:

with selinux: 18s
without selinux: 14s

> We have found one problem in libselinux that could account for some of
> the slowdown, but not much, this increases the spead of matchpathcon.
> We have fixed this in F16.
>
> Tests conducted in Rawhide.
>
> systemd reads in policy file and loads it in the kernel.
>
> # du -m /etc/selinux/targeted/policy/policy.26
> 7 /etc/selinux/targeted/policy/policy.26
>
> The load_policy command on my T61 does pretty much the equivalent.
>
> # time load_policy
>
> real 0m7.483s
> user 0m0.000s
> sys 0m2.255s
>
> systemd and udev both load the file_context files and create regexs
> based on these files. matchpathcon does the equivalent.
>
> time matchpathcon /dev
> /dev system_ubject_r:device_t:s0
>
> real 0m0.069s
> user 0m0.012s
> sys 0m0.021s
>
> Obviously this is a more powerful machine then the Atom, but I would
> figure loading of the policy is the culprit.

snb# time matchpathcon /dev
/dev system_ubject_r:device_t:s0

real 0m0.101s
user 0m0.096s
sys 0m0.004s

snb# time load_policy

real 0m1.553s
user 0m0.000s
sys 0m0.483s

atom# time matchpathcon /dev
/dev system_ubject_r:device_t:s0

real 0m1.036s
user 0m1.012s
sys 0m0.019s

atom# time load_policy

about 4s

cheers,
Pádraig.
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel