[INFO] New benchmark on SELINUX and Fedora 15 from Phoronix

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 06/23/2011 08:58 AM, Pádraig Brady wrote:
> On 23/06/11 12:28, Lennart Poettering wrote:
>> On Thu, 23.06.11 12:58, yersinia (yersinia.spiros at gmail.com) wrote:
>>
>>> Greetings
>>>
>>> Perhaps it is of interest to this list that Phonorix has produced a new
>>> benchmark about the performance impact of SELinux on
>>> Fedora 15. Look very good
>>> http://www.phoronix.com/scan.php?page=article&item=fedora_15_selinux&num=2.
>>
>> The biggest impact it has on boot time really. Might be worth measuring that.
> 
> A work colleague here did that a couple of days ago.
> To boot to a usable desktop with stock F15 with gdm auto login:
> 
>   with selinux:    43s
>   without selinux: 24s
> 
> Hardware is pinetrail netbook (1.6GHz Atom N455).
> 2GB RAM and SSD limited by SATA I interface.
> 
> cheers,
> Pádraig.

We have found one problem in libselinux that could account for some of
the slowdown, but not much, this increases the spead of matchpathcon.
We have fixed this in F16.

Tests conducted in Rawhide.

systemd reads in policy file and loads it in the kernel.

# du -m /etc/selinux/targeted/policy/policy.26
7	/etc/selinux/targeted/policy/policy.26

The load_policy command on my T61 does pretty much the equivalent.

# time load_policy

real	0m7.483s
user	0m0.000s
sys	0m2.255s

systemd and udev both load the file_context files and create regexs
based on these files.  matchpathcon does the equivalent.

time matchpathcon /dev
/dev	system_u:object_r:device_t:s0

real	0m0.069s
user	0m0.012s
sys	0m0.021s

Obviously this is a more powerful machine then the Atom, but I would
figure loading of the policy is the culprit.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk4DQ2QACgkQrlYvE4MpobMvywCdHt07Jtfef5e6oQHLEM/6OToy
F18AoIt+je00t/uPSt9vMOj0L/4nwhnX
=32eQ
-----END PGP SIGNATURE-----