From: Dominick Grift <dac.override@gmail.com>
To: Michal Marciniszyn <michal.marciniszyn@gooddata.com>
Cc: Stephen Smalley <sds@tycho.nsa.gov>, selinux@tycho.nsa.gov
Subject: Re: Performance issues - huge amount of AVC misses
Date: Tue, 8 Dec 2015 17:29:59 +0100 [thread overview]
Message-ID: <20151208162957.GC32680@x250> (raw)
In-Reply-To: <CAL8PO=2TMsT=DUJ-1oKKC+OutuHWVH1VqTsNDqKxKRVwon7Urw@mail.gmail.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On Tue, Dec 08, 2015 at 05:21:17PM +0100, Michal Marciniszyn wrote:
>
> I'll try to reduce amount of dontaudit rules and I'll see how much this
> reduces cache misses. The hard truth is, that vertica is looking at many
> places during the run, most of which it does not need. Maybe the way we
> have rules defined is creating a lot of stress on the amount of rules in
> the policy, I'll try to get the data on that.
>
Yes, no after second thought I now believe it is totally unrelated and
not an issue. The amount of dontaudit rules is huge in stock 6.6 as well
(You are adding like 10% (?) so that is pretty insignificant)
Also there little you can do about the majority of dontaudit rules.
So stock SL6.6 comes with 91 permissive domains? wow, just wow.
- --
02DFF788
4D30 903A 1CF3 B756 FB48 1514 3148 83A2 02DF F788
https://sks-keyservers.net/pks/lookup?op=get&search=0x314883A202DFF788
Dominick Grift
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQGcBAEBCgAGBQJWZwWBAAoJENAR6kfG5xmccvUMAJmXVcoBvqrXzN5kTHpWnHBM
wPrGdx18tEyHeokE0U6FSlqXSh8/Hl9Fn2VSZLUyYO5mYm2dMoCFHkw45zs9svAB
2ugG9hEmoNgaX8KPxSm1LwWn23zTxnngeq8HU4n+ZSblQiW+EAeLPTtSHhqtA2OC
sXIBm6B3lfp5OPinQTsZ5xvpfTNe8eyswhEej3DCzr02tw5rheYzk3KvPKXKP6wV
OpQH7CwZ5Fi/7Ik298lU4tR321qtvLwxMUGcSMGT3Nkakul/GhH/RQOis2SFKlAy
HZGr4z/eLtAiwTgKFt+TuEgS+auFyZIeu4rlnky8qUhcc+j4fAVzDTNPtRV6LDHG
+Z2kbjgvR0Qk7QI7szuHiFYUfV/8ts6uzGMLEaQtBNEH0K7X1d0wk5qLOBiKrZOa
Zp0Sjnsv/ADhlRMD4WnqJ4R5NvU/p7rhYq5Xlh9/NadBXOon9Q4KBFzGUa+ZDvpy
YH7hgaRMQoQuPW/3FPlU47v2o1lMusuyYXqgGsZZyA==
=W08P
-----END PGP SIGNATURE-----
next prev parent reply other threads:[~2015-12-08 16:29 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-12-08 10:25 Performance issues - huge amount of AVC misses Michal Marciniszyn
2015-12-08 10:44 ` Dominick Grift
2015-12-08 14:56 ` Michal Marciniszyn
2015-12-08 15:05 ` Daniel J Walsh
2015-12-08 15:10 ` Dominick Grift
2015-12-08 15:35 ` Stephen Smalley
2015-12-08 16:21 ` Michal Marciniszyn
2015-12-08 16:29 ` Dominick Grift [this message]
2015-12-08 17:06 ` Stephen Smalley
2015-12-08 15:29 ` Stephen Smalley
2015-12-08 16:16 ` Michal Marciniszyn
2015-12-09 10:07 ` Milos Malik
2015-12-09 10:19 ` Michal Marciniszyn
2015-12-09 13:15 ` Michal Marciniszyn
2015-12-09 15:05 ` Stephen Smalley
2015-12-09 16:07 ` Joe Nall
2015-12-09 17:07 ` Stephen Smalley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20151208162957.GC32680@x250 \
--to=dac.override@gmail.com \
--cc=michal.marciniszyn@gooddata.com \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.