selinux and oracle

Daniel J Walsh dwalsh at redhat.com
Tue Jan 16 20:35:16 UTC 2007


Darwin H. Webb wrote:
> Daniel J Walsh wrote:
>> Darwin H. Webb wrote:
>>> Daniel J Walsh wrote:
>>>> Jack Null wrote:
>>>>> I have a RHEL4U4 server that will become an Oracle 10gR2 server in 
>>>>> three weeks.  Almost all of the documentation I have seen about 
>>>>> installing oracle on a selinux enabled server says to turn off 
>>>>> selinux.  Only 1 document said that oracle and selinux can 
>>>>> function together.  So can oracle and selinux play nice or do I 
>>>>> have to turn it off?
>>>> They should be able to play nice.  The only place they might hit 
>>>> would be if there is a web interface.
>>>> Oracle might also be seeking to eek out every bit of performace.  
>>>> SELinux can add some load between 2-20% depending on which 
>>>> performance test you run.
>>>>>
>>>>> Thanks,
>>>>> Adam
>>>>>
>>>>> _________________________________________________________________
>>>>> Find sales, coupons, and free shipping, all in one place!  MSN 
>>>>> Shopping Sales & Deals 
>>>>> http://shopping.msn.com/content/shp/?ctid=198,ptnrid=176,ptnrdata=200639 
>>>>>
>>>>>
>>>>> -- 
>>>>> fedora-selinux-list mailing list
>>>>> fedora-selinux-list at redhat.com
>>>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>>>
>>>> -- 
>>>> fedora-selinux-list mailing list
>>>> fedora-selinux-list at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>>>
>>>>
>>> "Oracle might also be seeking to eek out every bit of performace.  
>>> SELinux can add some load between 2-20% depending on which 
>>> performance test you run."
>>>
>>> I thoht SELinux's overhead was only for the transitions and file 
>>> access thereby being a small amount of this total time (est. at 7% 
>>> untuned.)
>> All access is being checked including things like network traffic.  
>> So if the application is doing something the kernel would require an 
>> access check on, SELinux will have some overhead.  The 20% figure, I 
>> believe, comes from Network through put tests.  So running a router 
>> with SELinux might not be a great idea.
>>>
>>> The web app would be using Oracle's security with a 
>>> MyWebAppUsername. Yes / No?
>>>
>>> Could you explain this overhead and where and what is doing it, please.
>>> I don't see where it would be any greater than 7% of the volume of 
>>> transitions and file accesses (which would be different web files. 
>>> And that would be an Apache overhead whether a DBMS was being used 
>>> or not.
>>>
>>> Thank you,
>>>
>>> Darwin
>>>
>>
>>
>>
> The tests at this link show about an overall 7%.
>
> http://people.redhat.com/jmorris/selinux/bench/results/summary.txt
>
> The only 2 tests that look strange are pipes and the 2 procs tbench 
> tests.
> This is from 2003, do you know if anyone has run this again with the 
> newer security checks and gncc 4.1.1?
>
> These 2 tests could have been a fluc (1,3,4 procs were not affected.)
> The overhead of SELinux would increase proportional to the volume, but 
> not increase dis-proportionally except for possibly some interaction 
> at some load point near total saturation of most resources, This 
> usually is a sign of queues being dumped and reestablished.
>
> Darwin
>
I hope to  publish some more extensive performance tests on RHEL5 by the 
end of the week.




More information about the fedora-selinux-list mailing list