Audit / Netlink slowness
Steve G
linux_4ever at yahoo.com
Tue Jun 14 13:04:12 UTC 2005
Hi,
>Running "strace -r 2>strace.out su", I discovered that
>netlink communication is the major cause of slowdown.
netlink in theory should be fast. No routing or collisions.
>"su" connects to a NETLINK_AUDIT socket 3 or 4 times.
>Each time it does 2 sendto() + recvfrom() operations,
It does an audit subsystem status to see if its enabled and if so a send of
auditable information. What version of pam, su, audit-libs, kernel are you using?
>with a latency of ~200ms. This adds up to 800ms wasted
>time.
Just out of curiosity, what cpu & clock speed do you have? Are you running UP or
SMP kernel? This code path should be entirely cpu bound as no io devices are
involved.
>Disabling CONFIG_AUDIT in the kernel makes su and ssh
>very fast again.
You also lose part of your SE Linux avc messages. There was a deadlock condition
discovered and reported on the NSA SE Linux mail list. The solution was to move
part of the processing to syscall exit audit processing. With audit not compiled
in or enabled, you get an abreviated avc message under some conditions.
>Is this behavior to be expected?
Not exactly. There will be a *some* delay as we've added a lot of new
functionality, but 800 ms total delay is excessive. I'll see if we can find the
culprit.
Thanks,
-Steve Grubb
__________________________________
Discover Yahoo!
Use Yahoo! to plan a weekend, have fun online and more. Check it out!
http://discover.yahoo.com/
More information about the fedora-devel-list
mailing list