Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Fedora Development (http://www.linux-archive.org/fedora-development/)
-   -   New benchmark on SELINUX and Fedora 15 from Phoronix (http://www.linux-archive.org/fedora-development/543300-new-benchmark-selinux-fedora-15-phoronix.html)

Pádraig Brady 06-23-2011 12:58 PM

New benchmark on SELINUX and Fedora 15 from Phoronix
 
On 23/06/11 12:28, Lennart Poettering wrote:
> On Thu, 23.06.11 12:58, yersinia (yersinia.spiros@gmail.com) wrote:
>
>> Greetings
>>
>> Perhaps it is of interest to this list that Phonorix has produced a new
>> benchmark about the performance impact of SELinux on
>> Fedora 15. Look very good
>> http://www.phoronix.com/scan.php?page=article&item=fedora_15_selinux&num=2 .
>
> The biggest impact it has on boot time really. Might be worth measuring that.

A work colleague here did that a couple of days ago.
To boot to a usable desktop with stock F15 with gdm auto login:

with selinux: 43s
without selinux: 24s

Hardware is pinetrail netbook (1.6GHz Atom N455).
2GB RAM and SSD limited by SATA I interface.

cheers,
Pádraig.
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Pádraig Brady 06-23-2011 12:58 PM

New benchmark on SELINUX and Fedora 15 from Phoronix
 
On 23/06/11 12:28, Lennart Poettering wrote:
> On Thu, 23.06.11 12:58, yersinia (yersinia.spiros@gmail.com) wrote:
>
>> Greetings
>>
>> Perhaps it is of interest to this list that Phonorix has produced a new
>> benchmark about the performance impact of SELinux on
>> Fedora 15. Look very good
>> http://www.phoronix.com/scan.php?page=article&item=fedora_15_selinux&num=2 .
>
> The biggest impact it has on boot time really. Might be worth measuring that.

A work colleague here did that a couple of days ago.
To boot to a usable desktop with stock F15 with gdm auto login:

with selinux: 43s
without selinux: 24s

Hardware is pinetrail netbook (1.6GHz Atom N455).
2GB RAM and SSD limited by SATA I interface.

cheers,
Pádraig.
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Daniel J Walsh 06-23-2011 01:45 PM

New benchmark on SELINUX and Fedora 15 from Phoronix
 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 06/23/2011 08:58 AM, Pádraig Brady wrote:
> On 23/06/11 12:28, Lennart Poettering wrote:
>> On Thu, 23.06.11 12:58, yersinia (yersinia.spiros@gmail.com) wrote:
>>
>>> Greetings
>>>
>>> Perhaps it is of interest to this list that Phonorix has produced a new
>>> benchmark about the performance impact of SELinux on
>>> Fedora 15. Look very good
>>> http://www.phoronix.com/scan.php?page=article&item=fedora_15_selinux&num=2 .
>>
>> The biggest impact it has on boot time really. Might be worth measuring that.
>
> A work colleague here did that a couple of days ago.
> To boot to a usable desktop with stock F15 with gdm auto login:
>
> with selinux: 43s
> without selinux: 24s
>
> Hardware is pinetrail netbook (1.6GHz Atom N455).
> 2GB RAM and SSD limited by SATA I interface.
>
> cheers,
> Pádraig.

We have found one problem in libselinux that could account for some of
the slowdown, but not much, this increases the spead of matchpathcon.
We have fixed this in F16.

Tests conducted in Rawhide.

systemd reads in policy file and loads it in the kernel.

# du -m /etc/selinux/targeted/policy/policy.26
7 /etc/selinux/targeted/policy/policy.26

The load_policy command on my T61 does pretty much the equivalent.

# time load_policy

real 0m7.483s
user 0m0.000s
sys 0m2.255s

systemd and udev both load the file_context files and create regexs
based on these files. matchpathcon does the equivalent.

time matchpathcon /dev
/dev system_u:object_r:device_t:s0

real 0m0.069s
user 0m0.012s
sys 0m0.021s

Obviously this is a more powerful machine then the Atom, but I would
figure loading of the policy is the culprit.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk4DQ2QACgkQrlYvE4MpobMvywCdHt07Jtfef5 e6oQHLEM/6OToy
F18AoIt+je00t/uPSt9vMOj0L/4nwhnX
=32eQ
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Daniel J Walsh 06-23-2011 01:45 PM

New benchmark on SELINUX and Fedora 15 from Phoronix
 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 06/23/2011 08:58 AM, Pádraig Brady wrote:
> On 23/06/11 12:28, Lennart Poettering wrote:
>> On Thu, 23.06.11 12:58, yersinia (yersinia.spiros@gmail.com) wrote:
>>
>>> Greetings
>>>
>>> Perhaps it is of interest to this list that Phonorix has produced a new
>>> benchmark about the performance impact of SELinux on
>>> Fedora 15. Look very good
>>> http://www.phoronix.com/scan.php?page=article&item=fedora_15_selinux&num=2 .
>>
>> The biggest impact it has on boot time really. Might be worth measuring that.
>
> A work colleague here did that a couple of days ago.
> To boot to a usable desktop with stock F15 with gdm auto login:
>
> with selinux: 43s
> without selinux: 24s
>
> Hardware is pinetrail netbook (1.6GHz Atom N455).
> 2GB RAM and SSD limited by SATA I interface.
>
> cheers,
> Pádraig.

We have found one problem in libselinux that could account for some of
the slowdown, but not much, this increases the spead of matchpathcon.
We have fixed this in F16.

Tests conducted in Rawhide.

systemd reads in policy file and loads it in the kernel.

# du -m /etc/selinux/targeted/policy/policy.26
7 /etc/selinux/targeted/policy/policy.26

The load_policy command on my T61 does pretty much the equivalent.

# time load_policy

real 0m7.483s
user 0m0.000s
sys 0m2.255s

systemd and udev both load the file_context files and create regexs
based on these files. matchpathcon does the equivalent.

time matchpathcon /dev
/dev system_u:object_r:device_t:s0

real 0m0.069s
user 0m0.012s
sys 0m0.021s

Obviously this is a more powerful machine then the Atom, but I would
figure loading of the policy is the culprit.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk4DQ2QACgkQrlYvE4MpobMvywCdHt07Jtfef5 e6oQHLEM/6OToy
F18AoIt+je00t/uPSt9vMOj0L/4nwhnX
=32eQ
-----END PGP SIGNATURE-----
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Daniel J Walsh 06-23-2011 01:45 PM

New benchmark on SELINUX and Fedora 15 from Phoronix
 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 06/23/2011 08:58 AM, Pádraig Brady wrote:
> On 23/06/11 12:28, Lennart Poettering wrote:
>> On Thu, 23.06.11 12:58, yersinia (yersinia.spiros@gmail.com) wrote:
>>
>>> Greetings
>>>
>>> Perhaps it is of interest to this list that Phonorix has produced a new
>>> benchmark about the performance impact of SELinux on
>>> Fedora 15. Look very good
>>> http://www.phoronix.com/scan.php?page=article&item=fedora_15_selinux&num=2 .
>>
>> The biggest impact it has on boot time really. Might be worth measuring that.
>
> A work colleague here did that a couple of days ago.
> To boot to a usable desktop with stock F15 with gdm auto login:
>
> with selinux: 43s
> without selinux: 24s
>
> Hardware is pinetrail netbook (1.6GHz Atom N455).
> 2GB RAM and SSD limited by SATA I interface.
>
> cheers,
> Pádraig.

We have found one problem in libselinux that could account for some of
the slowdown, but not much, this increases the spead of matchpathcon.
We have fixed this in F16.

Tests conducted in Rawhide.

systemd reads in policy file and loads it in the kernel.

# du -m /etc/selinux/targeted/policy/policy.26
7 /etc/selinux/targeted/policy/policy.26

The load_policy command on my T61 does pretty much the equivalent.

# time load_policy

real 0m7.483s
user 0m0.000s
sys 0m2.255s

systemd and udev both load the file_context files and create regexs
based on these files. matchpathcon does the equivalent.

time matchpathcon /dev
/dev system_u:object_r:device_t:s0

real 0m0.069s
user 0m0.012s
sys 0m0.021s

Obviously this is a more powerful machine then the Atom, but I would
figure loading of the policy is the culprit.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk4DQ2QACgkQrlYvE4MpobMvywCdHt07Jtfef5 e6oQHLEM/6OToy
F18AoIt+je00t/uPSt9vMOj0L/4nwhnX
=32eQ
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Daniel J Walsh 06-23-2011 01:45 PM

New benchmark on SELINUX and Fedora 15 from Phoronix
 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 06/23/2011 08:58 AM, Pádraig Brady wrote:
> On 23/06/11 12:28, Lennart Poettering wrote:
>> On Thu, 23.06.11 12:58, yersinia (yersinia.spiros@gmail.com) wrote:
>>
>>> Greetings
>>>
>>> Perhaps it is of interest to this list that Phonorix has produced a new
>>> benchmark about the performance impact of SELinux on
>>> Fedora 15. Look very good
>>> http://www.phoronix.com/scan.php?page=article&item=fedora_15_selinux&num=2 .
>>
>> The biggest impact it has on boot time really. Might be worth measuring that.
>
> A work colleague here did that a couple of days ago.
> To boot to a usable desktop with stock F15 with gdm auto login:
>
> with selinux: 43s
> without selinux: 24s
>
> Hardware is pinetrail netbook (1.6GHz Atom N455).
> 2GB RAM and SSD limited by SATA I interface.
>
> cheers,
> Pádraig.

We have found one problem in libselinux that could account for some of
the slowdown, but not much, this increases the spead of matchpathcon.
We have fixed this in F16.

Tests conducted in Rawhide.

systemd reads in policy file and loads it in the kernel.

# du -m /etc/selinux/targeted/policy/policy.26
7 /etc/selinux/targeted/policy/policy.26

The load_policy command on my T61 does pretty much the equivalent.

# time load_policy

real 0m7.483s
user 0m0.000s
sys 0m2.255s

systemd and udev both load the file_context files and create regexs
based on these files. matchpathcon does the equivalent.

time matchpathcon /dev
/dev system_u:object_r:device_t:s0

real 0m0.069s
user 0m0.012s
sys 0m0.021s

Obviously this is a more powerful machine then the Atom, but I would
figure loading of the policy is the culprit.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk4DQ2QACgkQrlYvE4MpobMvywCdHt07Jtfef5 e6oQHLEM/6OToy
F18AoIt+je00t/uPSt9vMOj0L/4nwhnX
=32eQ
-----END PGP SIGNATURE-----
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Matthew Miller 06-23-2011 01:52 PM

New benchmark on SELINUX and Fedora 15 from Phoronix
 
On Thu, Jun 23, 2011 at 12:58:22PM +0200, yersinia wrote:
> Perhaps it is of interest to this list that Phonorix has produced a new
> benchmark about the performance impact of SELinux on
> Fedora 15. Look very good
> http://www.phoronix.com/scan.php?page=article&item=fedora_15_selinux&num=2 .

Spoiler: negligible impact in gaming, compression, media conversion,
multithreaded IO, and SQL tests; 5% hit for a mail server and 11% for
a simple web server benchmark.

Since those network services are where SELinux brings a huge benefit, I
think the overal takeaway is "yay SELinux!"

--
Matthew Miller <mattdm@mattdm.org>
Senior Systems Architect -- Instructional & Research Computing Services
Harvard School of Engineering & Applied Sciences
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Matthew Miller 06-23-2011 01:52 PM

New benchmark on SELINUX and Fedora 15 from Phoronix
 
On Thu, Jun 23, 2011 at 12:58:22PM +0200, yersinia wrote:
> Perhaps it is of interest to this list that Phonorix has produced a new
> benchmark about the performance impact of SELinux on
> Fedora 15. Look very good
> http://www.phoronix.com/scan.php?page=article&item=fedora_15_selinux&num=2 .

Spoiler: negligible impact in gaming, compression, media conversion,
multithreaded IO, and SQL tests; 5% hit for a mail server and 11% for
a simple web server benchmark.

Since those network services are where SELinux brings a huge benefit, I
think the overal takeaway is "yay SELinux!"

--
Matthew Miller <mattdm@mattdm.org>
Senior Systems Architect -- Instructional & Research Computing Services
Harvard School of Engineering & Applied Sciences
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Matthew Miller 06-23-2011 01:52 PM

New benchmark on SELINUX and Fedora 15 from Phoronix
 
On Thu, Jun 23, 2011 at 12:58:22PM +0200, yersinia wrote:
> Perhaps it is of interest to this list that Phonorix has produced a new
> benchmark about the performance impact of SELinux on
> Fedora 15. Look very good
> http://www.phoronix.com/scan.php?page=article&item=fedora_15_selinux&num=2 .

Spoiler: negligible impact in gaming, compression, media conversion,
multithreaded IO, and SQL tests; 5% hit for a mail server and 11% for
a simple web server benchmark.

Since those network services are where SELinux brings a huge benefit, I
think the overal takeaway is "yay SELinux!"

--
Matthew Miller <mattdm@mattdm.org>
Senior Systems Architect -- Instructional & Research Computing Services
Harvard School of Engineering & Applied Sciences
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Matthew Miller 06-23-2011 01:52 PM

New benchmark on SELINUX and Fedora 15 from Phoronix
 
On Thu, Jun 23, 2011 at 12:58:22PM +0200, yersinia wrote:
> Perhaps it is of interest to this list that Phonorix has produced a new
> benchmark about the performance impact of SELinux on
> Fedora 15. Look very good
> http://www.phoronix.com/scan.php?page=article&item=fedora_15_selinux&num=2 .

Spoiler: negligible impact in gaming, compression, media conversion,
multithreaded IO, and SQL tests; 5% hit for a mail server and 11% for
a simple web server benchmark.

Since those network services are where SELinux brings a huge benefit, I
think the overal takeaway is "yay SELinux!"

--
Matthew Miller <mattdm@mattdm.org>
Senior Systems Architect -- Instructional & Research Computing Services
Harvard School of Engineering & Applied Sciences
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux


All times are GMT. The time now is 09:50 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.