On 12/09/2015 11:07 AM, Joe Nall wrote:
This thread motivated me to look at some test boxes. One is seeing about 2k misses per second under high load. Raising the cache_threshold to 1024 lowered that to 600 misses per second and raising it to 2048 lowered it to 0 with occasional bounces to 20-50.
Are there any negatives to raising the cache_threshold?
Could waste memory and degrade the AVC hash chain lengths, but worth it
if it makes AVC misses rare.
What is the approximate cost of a miss?
On a miss, you're talking about a full security server access vector
computation. Cost will depend on your policy (number of rules, type
attribute density, number and complexity of constraints) but with the
SL6 policy stats he was showing I imagine it is quite high.
Is there a persistent mechanism to set the cache_threshold? The system is RHEL 6.6 with custom MLS policy.
Not without patching your kernel.
Just write the value to selinuxfs from an init script or set it via
tmpfiles.d if using systemd.
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
