SELinux performance

SELinux performance

[Joy Latten]

A while back I took up some SELinux performance work that a colleague of
mine, Kylie Hall had done. The patch added ipv4 address, ipv6 address
and port caches to SELinux. I believe I sent the patch a while back
also, but can do so again if anyone is interested. The caches are
exercised in such SELinux hooks as socket_bind(), socket_connect() and
socket_sock_rcv_skb(). Bandwidth has allowed me some time to work on
this. Can anyone recommend a benchmark that will exercise this code?  I
figured something that utilized many ip addresses or ports. 

I will be on vacation starting tomorrow, but will be reading email from
time to time as I would like to complete this work.

Regards,
Joy Latten

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux performance

[James Morris]

On Wed, 14 Dec 2005, Joy Latten wrote:

> A while back I took up some SELinux performance work that a colleague of
> mine, Kylie Hall had done. The patch added ipv4 address, ipv6 address
> and port caches to SELinux. I believe I sent the patch a while back
> also, but can do so again if anyone is interested. The caches are
> exercised in such SELinux hooks as socket_bind(), socket_connect() and
> socket_sock_rcv_skb(). Bandwidth has allowed me some time to work on
> this. Can anyone recommend a benchmark that will exercise this code?  I
> figured something that utilized many ip addresses or ports. 

apachebench is a good basic test, and you can also try webstone, lmbench 
and iperf.

Not sure how to realistically simulate large numbers of IP addresses.


- James
-- 
James Morris
<jmorris@namei.org>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux performance

[sharp]

[-- Attachment #1: Type: text/plain, Size: 1152 bytes --]

On Wednesday 14 December 2005 06:47 pm, James Morris wrote:
> On Wed, 14 Dec 2005, Joy Latten wrote:
> > A while back I took up some SELinux performance work that a colleague of
> > mine, Kylie Hall had done. The patch added ipv4 address, ipv6 address
> > and port caches to SELinux. I believe I sent the patch a while back
> > also, but can do so again if anyone is interested. The caches are
> > exercised in such SELinux hooks as socket_bind(), socket_connect() and
> > socket_sock_rcv_skb(). Bandwidth has allowed me some time to work on
> > this. Can anyone recommend a benchmark that will exercise this code?  I
> > figured something that utilized many ip addresses or ports.
>
> apachebench is a good basic test, and you can also try webstone, lmbench
> and iperf.
>
> Not sure how to realistically simulate large numbers of IP addresses.

You might consider, budget permitting, something like Net Avalanche
<spirentcom>. Rack mountable thingy designed for stress testing using
realistic traffic: "simulates up to 50,000 simultaneously-connected 
users with unique IP addresses".  (Every home should have one.)

- s harp


[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: SELinux performance

[Serge E. Hallyn]

Quoting sharp (steven.harp@adventiumlabs.org):
> On Wednesday 14 December 2005 06:47 pm, James Morris wrote:
> > On Wed, 14 Dec 2005, Joy Latten wrote:
> > > A while back I took up some SELinux performance work that a colleague of
> > > mine, Kylie Hall had done. The patch added ipv4 address, ipv6 address
> > > and port caches to SELinux. I believe I sent the patch a while back
> > > also, but can do so again if anyone is interested. The caches are
> > > exercised in such SELinux hooks as socket_bind(), socket_connect() and
> > > socket_sock_rcv_skb(). Bandwidth has allowed me some time to work on
> > > this. Can anyone recommend a benchmark that will exercise this code?  I
> > > figured something that utilized many ip addresses or ports.
> >
> > apachebench is a good basic test, and you can also try webstone, lmbench
> > and iperf.
> >
> > Not sure how to realistically simulate large numbers of IP addresses.
> 
> You might consider, budget permitting, something like Net Avalanche
> <spirentcom>. Rack mountable thingy designed for stress testing using
> realistic traffic: "simulates up to 50,000 simultaneously-connected 
> users with unique IP addresses".  (Every home should have one.)

Nifty.  If someone has one of these sitting around and wants to try
out Joy's (/Kylie's) patchset, that sounds like a very good test indeed.

-serge

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

selinux performance

[somayeh afzali]

[-- Attachment #1: Type: text/plain, Size: 188 bytes --]

hi,

is there a tool for checking selinux performance?

thanks

       
---------------------------------
Looking for a deal? Find great prices on flights and hotels with Yahoo! FareChase.

[-- Attachment #2: Type: text/html, Size: 344 bytes --]

Re: selinux performance

[James Morris]

On Sun, 1 Jul 2007, somayeh afzali wrote:

> hi,
> 
> is there a tool for checking selinux performance?

avcstat can help

-- 
James Morris
<jmorris@namei.org>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

selinux performance

[somayeh afzali]

[-- Attachment #1.1: Type: text/plain, Size: 138 bytes --]





       
---------------------------------
Get the free Yahoo! toolbar and rest assured with the added security of spyware protection. 

[-- Attachment #1.2: Type: text/html, Size: 242 bytes --]

[-- Attachment #2: Type: message/rfc822, Size: 1369 bytes --]

[-- Attachment #2.1.1: Type: text/plain, Size: 188 bytes --]

hi,

is there a tool for checking selinux performance?

thanks

       
---------------------------------
Looking for a deal? Find great prices on flights and hotels with Yahoo! FareChase.

[-- Attachment #2.1.2: Type: text/html, Size: 344 bytes --]

Re: selinux performance

[Steve G]

>is there a tool for checking selinux performance?

Do you mean what the performance change is between enabled and disabled? Or
whether or not SE Linux is working correctly? Or its performance statistics?
Performance can be interpreted many ways. We can give some suggestions if you
tell us what you are after.

-Steve


       
____________________________________________________________________________________
Got a little couch potato? 
Check out fun summer activities for kids.
http://search.yahoo.com/search?fr=oni_on_mail&p=summer+activities+for+kids&cs=bz 

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.