On 12/08/2015 11:21 AM, Michal Marciniszyn wrote:
Hi, there are neither categories nor MLS used on the system. I'll get the amount of different types used by the system (I need to do some digging, will get the data tomorrow). Most of classes will be regular file, directories and some symbolic links. There will be a lots of files as AFAIK vertica uses lots of smaller files. I'll try to reduce amount of dontaudit rules and I'll see how much this reduces cache misses. The hard truth is, that vertica is looking at many places during the run, most of which it does not need. Maybe the way we have rules defined is creating a lot of stress on the amount of rules in the policy, I'll try to get the data on that.
Cache misses aren't related to your number of dontaudit rules (or your number of rules at all, for that matter). The optimal AVC size is driven by the number of unique (source security context, target security context, target security class) triples being accessed during the workload. Each entry holds a complete access vector decision structure, including permissions that are allowed, permissions that are audited when denied, and permissions that are audited when allowed.
I would recommend trying different values for the cache threshold and see how it performs. Collecting information on the number of domains, types, and classes involved in your workload may be helpful in determining the optimal value, but some experimentation will likely be required regardless.
Reducing the number of rules may help with the performance overhead when there is an AVC miss, but the first step is to reduce the AVC misses.
_______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
