[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: selinux and oracle



Daniel J Walsh wrote:
Darwin H. Webb wrote:
Daniel J Walsh wrote:
Jack Null wrote:
I have a RHEL4U4 server that will become an Oracle 10gR2 server in three weeks. Almost all of the documentation I have seen about installing oracle on a selinux enabled server says to turn off selinux. Only 1 document said that oracle and selinux can function together. So can oracle and selinux play nice or do I have to turn it off?
They should be able to play nice. The only place they might hit would be if there is a web interface. Oracle might also be seeking to eek out every bit of performace. SELinux can add some load between 2-20% depending on which performance test you run.

Thanks,
Adam

_________________________________________________________________
Find sales, coupons, and free shipping, all in one place! MSN Shopping Sales & Deals http://shopping.msn.com/content/shp/?ctid=198,ptnrid=176,ptnrdata=200639

--
fedora-selinux-list mailing list
fedora-selinux-list redhat com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

--
fedora-selinux-list mailing list
fedora-selinux-list redhat com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list


"Oracle might also be seeking to eek out every bit of performace. SELinux can add some load between 2-20% depending on which performance test you run."

I thoht SELinux's overhead was only for the transitions and file access thereby being a small amount of this total time (est. at 7% untuned.)
All access is being checked including things like network traffic. So if the application is doing something the kernel would require an access check on, SELinux will have some overhead. The 20% figure, I believe, comes from Network through put tests. So running a router with SELinux might not be a great idea.

The web app would be using Oracle's security with a MyWebAppUsername. Yes / No?

Could you explain this overhead and where and what is doing it, please.
I don't see where it would be any greater than 7% of the volume of transitions and file accesses (which would be different web files. And that would be an Apache overhead whether a DBMS was being used or not.

Thank you,

Darwin




The tests at this link show about an overall 7%.

http://people.redhat.com/jmorris/selinux/bench/results/summary.txt

The only 2 tests that look strange are pipes and the 2 procs tbench tests.
This is from 2003, do you know if anyone has run this again with the newer security checks and gncc 4.1.1?

These 2 tests could have been a fluc (1,3,4 procs were not affected.)
The overhead of SELinux would increase proportional to the volume, but not increase dis-proportionally except for possibly some interaction at some load point near total saturation of most resources, This usually is a sign of queues being dumped and reestablished.

Darwin


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]