selinux and oracle

Daniel J Walsh dwalsh at redhat.com
Mon Jan 15 16:52:38 UTC 2007 

Darwin H. Webb wrote:
> Daniel J Walsh wrote:
>> Jack Null wrote:
>>> I have a RHEL4U4 server that will become an Oracle 10gR2 server in 
>>> three weeks.  Almost all of the documentation I have seen about 
>>> installing oracle on a selinux enabled server says to turn off 
>>> selinux.  Only 1 document said that oracle and selinux can function 
>>> together.  So can oracle and selinux play nice or do I have to turn 
>>> it off?
>> They should be able to play nice.  The only place they might hit 
>> would be if there is a web interface.
>> Oracle might also be seeking to eek out every bit of performace.  
>> SELinux can add some load between 2-20% depending on which 
>> performance test you run.
>>>
>>> Thanks,
>>> Adam
>>>
>>> _________________________________________________________________
>>> Find sales, coupons, and free shipping, all in one place!  MSN 
>>> Shopping Sales & Deals 
>>> http://shopping.msn.com/content/shp/?ctid=198,ptnrid=176,ptnrdata=200639 
>>>
>>>
>>> -- 
>>> fedora-selinux-list mailing list
>>> fedora-selinux-list at redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>
>> -- 
>> fedora-selinux-list mailing list
>> fedora-selinux-list at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>
>>
> "Oracle might also be seeking to eek out every bit of performace.  
> SELinux can add some load between 2-20% depending on which performance 
> test you run."
>
> I thoht SELinux's overhead was only for the transitions and file 
> access thereby being a small amount of this total time (est. at 7% 
> untuned.)
All access is being checked including things like network traffic.  So 
if the application is doing something the kernel would require an access 
check on, SELinux will have some overhead.  The 20% figure, I believe, 
comes from Network through put tests.  So running a router with SELinux 
might not be a great idea.
>
> The web app would be using Oracle's security with a MyWebAppUsername. 
> Yes / No?
>
> Could you explain this overhead and where and what is doing it, please.
> I don't see where it would be any greater than 7% of the volume of 
> transitions and file accesses (which would be different web files. And 
> that would be an Apache overhead whether a DBMS was being used or not.
>
> Thank you,
>
> Darwin
>

More information about the fedora-selinux-list mailing list