On Tue, 4 Oct 2005, John Richard Moser wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> I've heard that SELinux has produced benchmarks such as 7% increased CPU
> load.
The overall performance hit across several micro and macro benchmarks,
when last measured last year sometime, was around 7%, depending on
workload and what you were testing. It's a very rough figure and any
serious benchmarking needs to be done for the intended workload.
The AVC is now linearly scalable (measured up to 32 processors) thanks to
RCU and work by NEC.
> Is this true and current? Is it dependent on policy? What is
> the policy lookup complexity ( O(1), O(n), O(nlogn)...)? Are there
> other places where a bottleneck may exist aside from gruffing with the
> policy? Isn't the policy actually in xattrs so it's O(1)? Where else
> would an overhead that big come from aside from a lookup in a table?
The overhead is generally independent of policy size, as policy is cached
in the AVC and most workloads use a trivial number of policy rules in a
steady state (often less than 20).
So, generally, you'll only have a very small number of AVC entries active,
although you could have some longish hash chains if policy has not been
reloaded since boot.
Look in /selinux/avc for stats.
Googling for "selinux performance" will guide you to:
http://www.livejournal.com/users/james_morris/2153.html
- James
--
James Morris
<[email protected]>
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[Index of Archives]
[Kernel Newbies]
[Netfilter]
[Bugtraq]
[Photo]
[Stuff]
[Gimp]
[Yosemite News]
[MIPS Linux]
[ARM Linux]
[Linux Security]
[Linux RAID]
[Video 4 Linux]
[Linux for the blind]
[Linux Resources]
