From: Stephen Smalley <sds@tycho.nsa.gov>
To: Joe Nall <joe@nall.com>
Cc: Michal Marciniszyn <michal.marciniszyn@gooddata.com>,
Milos Malik <mmalik@redhat.com>,
selinux@tycho.nsa.gov
Subject: Re: Performance issues - huge amount of AVC misses
Date: Wed, 9 Dec 2015 12:07:22 -0500 [thread overview]
Message-ID: <56685FCA.3090107@tycho.nsa.gov> (raw)
In-Reply-To: <781F31F3-6348-48B0-861D-45CA6B4D4873@nall.com>
On 12/09/2015 11:07 AM, Joe Nall wrote:
> This thread motivated me to look at some test boxes. One is seeing about 2k misses per second under high load. Raising the cache_threshold to 1024 lowered that to 600 misses per second and raising it to 2048 lowered it to 0 with occasional bounces to 20-50.
>
> Are there any negatives to raising the cache_threshold?
Could waste memory and degrade the AVC hash chain lengths, but worth it
if it makes AVC misses rare.
> What is the approximate cost of a miss?
On a miss, you're talking about a full security server access vector
computation. Cost will depend on your policy (number of rules, type
attribute density, number and complexity of constraints) but with the
SL6 policy stats he was showing I imagine it is quite high.
> Is there a persistent mechanism to set the cache_threshold? The system is RHEL 6.6 with custom MLS policy.
Not without patching your kernel.
Just write the value to selinuxfs from an init script or set it via
tmpfiles.d if using systemd.
prev parent reply other threads:[~2015-12-09 17:07 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-12-08 10:25 Performance issues - huge amount of AVC misses Michal Marciniszyn
2015-12-08 10:44 ` Dominick Grift
2015-12-08 14:56 ` Michal Marciniszyn
2015-12-08 15:05 ` Daniel J Walsh
2015-12-08 15:10 ` Dominick Grift
2015-12-08 15:35 ` Stephen Smalley
2015-12-08 16:21 ` Michal Marciniszyn
2015-12-08 16:29 ` Dominick Grift
2015-12-08 17:06 ` Stephen Smalley
2015-12-08 15:29 ` Stephen Smalley
2015-12-08 16:16 ` Michal Marciniszyn
2015-12-09 10:07 ` Milos Malik
2015-12-09 10:19 ` Michal Marciniszyn
2015-12-09 13:15 ` Michal Marciniszyn
2015-12-09 15:05 ` Stephen Smalley
2015-12-09 16:07 ` Joe Nall
2015-12-09 17:07 ` Stephen Smalley [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=56685FCA.3090107@tycho.nsa.gov \
--to=sds@tycho.nsa.gov \
--cc=joe@nall.com \
--cc=michal.marciniszyn@gooddata.com \
--cc=mmalik@redhat.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.