Follow Techotopia on Twitter

On-line Guides
All Guides
eBook Store
iOS / Android
Linux for Beginners
Office Productivity
Linux Installation
Linux Security
Linux Utilities
Linux Virtualization
Linux Kernel
System/Network Admin
Programming
Scripting Languages
Development Tools
Web Development
GUI Toolkits/Desktop
Databases
Mail Systems
openSolaris
Eclipse Documentation
Techotopia.com
Virtuatopia.com
Answertopia.com

How To Guides
Virtualization
General System Admin
Linux Security
Linux Filesystems
Web Servers
Graphics & Desktop
PC Hardware
Windows
Problem Solutions
Privacy Policy

  




 

 

NOTE: CentOS Enterprise Linux is built from the Red Hat Enterprise Linux source code. Other than logo and name changes CentOS Enterprise Linux is compatible with the equivalent Red Hat version. This document applies equally to both Red Hat and CentOS Enterprise Linux.
Red Hat Enterprise Linux 4: Red Hat SELinux Guide
Prev Chapter 6. Tools for Manipulating and Analyzing SELinux Next

6.4. Performance Tuning

The major performance hit that SELinux can make on the system is in the kernel, where the hooks used through LSM divert the kernel flow into the AVC. Usually, the working set of cached permissions used in normal system operations is relatively small, fewer than 100 AVC entries for most systems with a focused mission. SELinux maintains up to 512 entries in the cache, and does not usually need to perform additional lookups outside of that cache.

If you suspect you are having performance problems due to SELinux or you generally want to fine tune your system, you can monitor the AVC through the /selinux file system. The first file, /selinux/avc/hash_stats, shows the number of entries, the number of hash buckets used by the entries, and the length of the longest hash chain:

cat /selinux/avc/hash_stats
entries: 521                # total number of AVC entries
buckets used: 285/512       # total number of buckets
longest chain: 6            # hash chain of less than 10 is
                            # optimal

If your hash chains are growing to be larger than 10, there may be a performance impact. You can consider reducing the size of the cache. To increase or decrease the size of the cache, you can set a new value through this tunable:

cat /selinux/avc/cache_threshold
512
echo 768 > /selinux/avc/cache_threshold

# Check to be sure the change took hold.  Be sure you are 
# root when using the targeted policy.

cat /selinux/avc/cache_threshold
768
Caution Caution
 

The default value of 512 for the cache threshold in Red Hat Enterprise Linux is set from extensive optimization benchmarking. Changing this value could have negative effects on system performance.

To be sure adjusting the cache limit is having positive effects on your performance, watch the number of reclaimed cache entries. Stale cache entries can build up following boot or long after daemon startup, which requires reclaiming entries when more are required for new processes. If you have a system where there are a high number of entries changing across a broad enough policy, this reclamation may occur more often and effect system performance. You can watch the reclaims column in the output of avcstat using the -c option, which displays the cumulative values:

avcstat -c 1
... reclaims ...
...      800 ...
...      830 ...
...      876 ...
...      912 ...
...      955 ...
...      992 ...

Occasional reclaim activity is within the bounds of normal, and it may increase when changing workloads. Excessive reclaims over a sustained period of time should be looked into.

Prev Home Next
Using apol for Policy Analysis Up Compiling SELinux Policy

 
 
  Published under the terms of the GNU General Public License Design by Interspire