Re: RSBAC performance in Linux 2.4.10

From: Amon Ott <ao@rsbac.org>
Subject: Re: RSBAC performance in Linux 2.4.10
Date: Mon, 14 Jan 2002 17:33:35 +0100

Next Article (by Author): Re: RSBAC performance in Linux 2.4.10 Amon Ott
Previous Article (by Author): Re: ask something about rsbac Amon Ott
Top of Thread: RSBAC performance in Linux 2.4.10 Pontus Lidman
Next in Thread: Re: RSBAC performance in Linux 2.4.10 Amon Ott
Articles sorted by: [Date] [Author] [Subject] 

On Sunday, 13. January 2002 16:55, Pontus Lidman wrote:
> I'm running rsbac 1.1.2, and I'm quite happy with the results, except
> for the performance problems. Reading the web pages, I got the
> impression that the performance impact would be negligible, but I
> noticed that many operations have become much slower. It is most
> noticeable when updating the locate database using 'updatedb'.
>
> I'm timing 'updatedb' on an old AMD K6-200, 96M of RAM, with 2
> IDE-disks, DMA is turned off.
>
> This is the result running Linux 2.4.10 without RSBAC:
>
> h83:~# time updatedb
>
> real    14m55.528s
> user    0m11.730s
> sys     0m17.350s
>
> Compare to the result running Linux 2.4.10 with rsbac 1.1.2 patch:
>
> h83:~# time updatedb
> /usr/bin/find: /var/rsbac: Operation not permitted
> /usr/bin/find: /usr/rsbac: Operation not permitted
> /usr/bin/find: /home/rsbac: Operation not permitted
> /usr/bin/find: /rsbac: Operation not permitted
> /usr/bin/find: /reiser/rsbac: Operation not permitted
>
> real    84m25.020s
> user    0m18.350s
> sys     70m19.230s
>
> The difference is quite significant... is this consistent with others
> experiences?

Is the 'Intercept Read/Write' switch turned on? Turning it off makes a big 
difference, without loosing much security. The fast benchmark results were 
with this option turned off.

Also, MS module with Read-Open scanning really sucks for performance.

Of interest: Did you look into your /proc/rsbac-info/xstats, what calls are 
made too often? How many attribute objects do you have 
(/proc/rsbac-info/stats)?

Amon.
--
http://www.rsbac.org
-
To unsubscribe from the rsbac list, send a mail to
majordomo@rsbac.org with
unsubscribe rsbac
as single line in the body.

Next Article (by Author): Re: RSBAC performance in Linux 2.4.10 Amon Ott
Previous Article (by Author): Re: ask something about rsbac Amon Ott
Top of Thread: RSBAC performance in Linux 2.4.10 Pontus Lidman
Next in Thread: Re: RSBAC performance in Linux 2.4.10 Amon Ott
Articles sorted by: [Date] [Author] [Subject]

Go to Compuniverse LWGate Home Page.