[cap-talk] System overheads - capabilities vs. SELinux (was: Re: Gnu Hurd status? Power box?)

Jed Donnelley jed at nersc.gov
Fri Mar 21 17:58:40 EDT 2008 

On 3/21/2008 12:11 PM, Jonathan S. Shapiro wrote:
> On Fri, 2008-03-21 at 19:46 +0100, Pierre THIERRY wrote:
>> Scribit Jonathan S. Shapiro dies 21/03/2008 hora 13:23:
>>> Actually, the disparity is more immediate than that. You may have had
>>> occasion to notice that there aren't really any solid measurements
>>> concerning the performance impact of SELinux...
>> Actually, there was a recent discovery that on embedded systems, SELinux
>> might induce more than 100% overhead on some operations[1]. I don't know
>> if it can be or has been fixed.
>>
>>   1. http://marc.info/?l=selinux&m=118845327521551&w=2
> 
> Yes. And note that the patch disables some checks that are firmly
> needed. What we don't know is what type of store is used on this target
> system.

Of course the above focuses on system overhead - which is
important at some level.  However, from my perspective as a
systems administrator the SELinux controls have been essentially
impossible to support on any but the most trivial canned
systems.  I know of several administrators who have tried
and ultimately been forced to give up when there was just
too much admin. overhead created.

This concern about admin. overhead has been leveled at
capability systems (e.g. from Lampson), but I believe such
criticism is misguided.  In my experience the fine grained
delegation in capability systems show up as simple parameter
passing that are invisible at the admin. level.  Nobody ever
asked an administrator to pass or verify subroutine parameters.
However, the "mandatory" aspect of SELinux controls seems to
inevitably require admin. intervention that seem to crop
up again and again and ultimately raise costs to an unbearable
level.

On many systems the overhead due to internal systems
checks are relatively insignificant - even if they are
pushed up to 200% or 400% of some previously also insignificant
level.  However, for any non-trivial system configurations
I think the administrative overhead of system management is
a clear and present cost.

--Jed  http://www.webstart.com/jed/

More information about the cap-talk mailing list