SELINUX performance issues

[Anton Blanchard]

Hi,

During SLES9 testing we noticed SELINUX caused rather large performance
regressions in network benchmarks. To retest this, I fired up
2.6.8-rc3-BK on a small POWER5 box (3 CPUs).

I enabled a bunch of stuff in my .config:

CONFIG_SECURITY=y
CONFIG_SECURITY_NETWORK=y
CONFIG_SECURITY_CAPABILITIES=y
CONFIG_SECURITY_ROOTPLUG=y
CONFIG_SECURITY_SELINUX=y
CONFIG_SECURITY_SELINUX_BOOTPARAM=y
CONFIG_SECURITY_SELINUX_DISABLE=y
CONFIG_SECURITY_SELINUX_DEVELOP=y
CONFIG_SECURITY_SELINUX_MLS=y

I then ran a number of copies of socklib to localhost. Socklib is a tool
from tridge which just pumps bytes down a TCP stream. Very simple stuff.
I found just over a 15% regression between enabling and disabling
selinux (using the same kernel, just specifying the selinux=off boot
option).

Oprofile shows where the problems are:

%       function
3.0880  avc_has_perm_noaudit
1.7677  selinux_socket_sock_rcv_skb
0.8400  avc_has_perm
0.5687  security_node_sid
0.5324  security_port_sid
0.5164  sel_netif_lookup
0.5141  avc_lookup
0.5003  sel_netif_put
0.3001  sel_netif_find
0.2899  selinux_file_permission

The biggest problem is the global lock:

avc_has_perm_noaudit:
        spin_lock_irqsave(&avc_lock, flags);

Any chance we can get rid of it? Maybe with RCU?

Anton
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/