selinux and oracle
Darwin H. Webb
thethirddoorontheleft at verizon.net
Mon Jan 15 21:04:25 UTC 2007
Daniel J Walsh wrote:
> Darwin H. Webb wrote:
>> Daniel J Walsh wrote:
>>> Jack Null wrote:
>>>> I have a RHEL4U4 server that will become an Oracle 10gR2 server in
>>>> three weeks. Almost all of the documentation I have seen about
>>>> installing oracle on a selinux enabled server says to turn off
>>>> selinux. Only 1 document said that oracle and selinux can function
>>>> together. So can oracle and selinux play nice or do I have to turn
>>>> it off?
>>> They should be able to play nice. The only place they might hit
>>> would be if there is a web interface.
>>> Oracle might also be seeking to eek out every bit of performace.
>>> SELinux can add some load between 2-20% depending on which
>>> performance test you run.
>>>>
>>>> Thanks,
>>>> Adam
>>>>
>>>> _________________________________________________________________
>>>> Find sales, coupons, and free shipping, all in one place! MSN
>>>> Shopping Sales & Deals
>>>> http://shopping.msn.com/content/shp/?ctid=198,ptnrid=176,ptnrdata=200639
>>>>
>>>>
>>>> --
>>>> fedora-selinux-list mailing list
>>>> fedora-selinux-list at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>>
>>> --
>>> fedora-selinux-list mailing list
>>> fedora-selinux-list at redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>>
>>>
>> "Oracle might also be seeking to eek out every bit of performace.
>> SELinux can add some load between 2-20% depending on which
>> performance test you run."
>>
>> I thoht SELinux's overhead was only for the transitions and file
>> access thereby being a small amount of this total time (est. at 7%
>> untuned.)
> All access is being checked including things like network traffic. So
> if the application is doing something the kernel would require an
> access check on, SELinux will have some overhead. The 20% figure, I
> believe, comes from Network through put tests. So running a router
> with SELinux might not be a great idea.
>>
>> The web app would be using Oracle's security with a MyWebAppUsername.
>> Yes / No?
>>
>> Could you explain this overhead and where and what is doing it, please.
>> I don't see where it would be any greater than 7% of the volume of
>> transitions and file accesses (which would be different web files.
>> And that would be an Apache overhead whether a DBMS was being used or
>> not.
>>
>> Thank you,
>>
>> Darwin
>>
>
>
>
The tests at this link show about an overall 7%.
http://people.redhat.com/jmorris/selinux/bench/results/summary.txt
The only 2 tests that look strange are pipes and the 2 procs tbench tests.
This is from 2003, do you know if anyone has run this again with the
newer security checks and gncc 4.1.1?
These 2 tests could have been a fluc (1,3,4 procs were not affected.)
The overhead of SELinux would increase proportional to the volume, but
not increase dis-proportionally except for possibly some interaction at
some load point near total saturation of most resources, This usually is
a sign of queues being dumped and reestablished.
Darwin
More information about the fedora-selinux-list
mailing list