On Friday 24 June 2005 01:46, Rudi Chiarito <nutello@xxxxxxxxxxxxx> wrote: > On Thu, Jun 23, 2005 at 11:08:25AM -0400, Paul A Houle wrote: > > desktop systems in a deade. Linux 2.6 is ready, but is SELinux? > > It depends on what you are doing. With some floating-point intensive > code running on a cluster of FC3 dual Opterons, I wasn't able to measure > SELinux overhead in a reliable manner. It seemed to be lost in the noise When the CPU is busy executing application code that does not perform any system calls there should not be any SE Linux CPU overhead. So any code that is doing calculations (regardless of whether it's integer or floating point) and nothing else should not be impacted by SE Linux. One area of overhead is in memory use, the SE Linux policy is stored in non-pageable kernel memory. If you have only a small amount of memory on the system (64M or less) then the memory taken by the SE Linux policy can have an impact on performance leading to paging of application data when otherwise it might not page such data or in OOM on machines without a swap space enabled. The "strict" policy (which is not installed by default) will not run on a machine with 64M of RAM unless you do some significant tweaks. The "targeted" policy is less complex, smaller, and uses less RAM. > Code that is more disk- and network-intensive should be of course result > in different observations. Code that is disk intensive should not be an issue either. The shortest time for a seek is about 5ms. The most complex SE Linux access check will not take a fraction of 5ms so the performance impact should not be measurable. Where the SE Linux performance impact is measurable is in network operations and IPC (including pseudo-tty). These are operations that involve SE Linux access checks and have operations occurring much more frequently than any hard disk can sustain. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-devel-list
