selinux and oracle
Daniel J Walsh
dwalsh at redhat.com
Tue Jan 16 20:35:16 UTC 2007
Darwin H. Webb wrote:
> Daniel J Walsh wrote:
>> Darwin H. Webb wrote:
>>> Daniel J Walsh wrote:
>>>> Jack Null wrote:
>>>>> I have a RHEL4U4 server that will become an Oracle 10gR2 server in
>>>>> three weeks. Almost all of the documentation I have seen about
>>>>> installing oracle on a selinux enabled server says to turn off
>>>>> selinux. Only 1 document said that oracle and selinux can
>>>>> function together. So can oracle and selinux play nice or do I
>>>>> have to turn it off?
>>>> They should be able to play nice. The only place they might hit
>>>> would be if there is a web interface.
>>>> Oracle might also be seeking to eek out every bit of performace.
>>>> SELinux can add some load between 2-20% depending on which
>>>> performance test you run.
>>>>>
>>>>> Thanks,
>>>>> Adam
>>>>>
>>>>> _________________________________________________________________
>>>>> Find sales, coupons, and free shipping, all in one place! MSN
>>>>> Shopping Sales & Deals
>>>>> http://shopping.msn.com/content/shp/?ctid=198,ptnrid=176,ptnrdata=200639
>>>>>
>>>>>
>>>>> --
>>>>> fedora-selinux-list mailing list
>>>>> fedora-selinux-list at redhat.com
>>>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>>>
>>>> --
>>>> fedora-selinux-list mailing list
>>>> fedora-selinux-list at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>>>
>>>>
>>> "Oracle might also be seeking to eek out every bit of performace.
>>> SELinux can add some load between 2-20% depending on which
>>> performance test you run."
>>>
>>> I thoht SELinux's overhead was only for the transitions and file
>>> access thereby being a small amount of this total time (est. at 7%
>>> untuned.)
>> All access is being checked including things like network traffic.
>> So if the application is doing something the kernel would require an
>> access check on, SELinux will have some overhead. The 20% figure, I
>> believe, comes from Network through put tests. So running a router
>> with SELinux might not be a great idea.
>>>
>>> The web app would be using Oracle's security with a
>>> MyWebAppUsername. Yes / No?
>>>
>>> Could you explain this overhead and where and what is doing it, please.
>>> I don't see where it would be any greater than 7% of the volume of
>>> transitions and file accesses (which would be different web files.
>>> And that would be an Apache overhead whether a DBMS was being used
>>> or not.
>>>
>>> Thank you,
>>>
>>> Darwin
>>>
>>
>>
>>
> The tests at this link show about an overall 7%.
>
> http://people.redhat.com/jmorris/selinux/bench/results/summary.txt
>
> The only 2 tests that look strange are pipes and the 2 procs tbench
> tests.
> This is from 2003, do you know if anyone has run this again with the
> newer security checks and gncc 4.1.1?
>
> These 2 tests could have been a fluc (1,3,4 procs were not affected.)
> The overhead of SELinux would increase proportional to the volume, but
> not increase dis-proportionally except for possibly some interaction
> at some load point near total saturation of most resources, This
> usually is a sign of queues being dumped and reestablished.
>
> Darwin
>
I hope to publish some more extensive performance tests on RHEL5 by the
end of the week.
More information about the fedora-selinux-list
mailing list