Presentation is loading. Please wait.

Presentation is loading. Please wait.

SELinux RHEL5: A benchmark

Published byLillian Kelley Modified over 5 years ago

Similar presentations

Presentation on theme: "SELinux RHEL5: A benchmark"— Presentation transcript:

1 SELinux RHEL5: A benchmark
Lars Strand INF Mandatory student assignment Autumn 2007

2 SELin...HÆH?? Developed by NSA. Today: Open Source.
In mainline Linux kernel since 2.6. Fedora since FC2. RHEL since v4. Today: RedHat aggressively pushes the development. SELinux consist of: Kernel patches. Uses LSM. Library 'libselinux' (ls,ps, ...) Administrative tools (sestatus, semanage, ...) Security policy.

3 Access Control Discretionary Access Control (DAC): The subjects are in control. “If an individual user can set an access control mechanism to allow or deny access to an object, that mechanism is a discretionary access control (DAC), also called identity-based access control (IBAC).” -- M. Bishop, computer security (2003). Mandatory Access Control (MAC): Access control enforced by the system – the subjects no longer in (full) control. “When a system mechanism controls access to and and individual user cannot alter that access, that control is a mandatory access control (MAC), occasionally called a rule-based access control.”

4 Security context Four security attributes:
<user>:<role>:<type>:<category/level> These build up a “security context”. Example: system_u:system_r:unconfined_t:s0:c0

5 Type Enforcement (TE)

6 SELinux MAC

7 AVC load (Munin) MySQL benchmark (”run-all-tests”)
Up to ~1 million queries / second.

8 Test setup – two hosts OS: RHEL5 Server (i386 and x64)

9 Trivia - sustained 1Gbps

10 Test 1a: Apache

11 Test 1b: Apache

12 Test 2: Postfix

13 Test 3: MySQL

14 Total average

15 Conclusions FC FAQ states: ~7% performance penalty.
These tests show ~6%. More CPU bound = less penalty. Penalty depends on: How program behaves. Security policy written for the program. Particular usage of the program. Dan Walsh: FC 8 has some improved SELinux kernel performance.

16 Questions? Read more - full report:
SELinux-Benchmark

Download ppt "SELinux RHEL5: A benchmark"

Similar presentations

Operating System Security

Operating System Security
1 cs691 chow C. Edward Chow Confidentiality Policy CS691 – Chapter 5 of Matt Bishop.

1 cs691 chow C. Edward Chow Confidentiality Policy CS691 – Chapter 5 of Matt Bishop.
JENNIS SHRESTHA CSC 345 April 22, 2014. Contents Introduction History Flux Advanced Security Kernel Mandatory Access Control Policies MAC Vs DAC Features.

JENNIS SHRESTHA CSC 345 April 22, Contents Introduction History Flux Advanced Security Kernel Mandatory Access Control Policies MAC Vs DAC Features.
Access Control Intro, DAC and MAC System Security.

Access Control Intro, DAC and MAC System Security.
By: Arpit Pandey SELINUX (SECURITY-ENHANCED LINUX)

By: Arpit Pandey SELINUX (SECURITY-ENHANCED LINUX)
Chapter 4: Security Policies Overview The nature of policies What they cover Policy languages The nature of mechanisms Types Secure vs. precise Underlying.

Chapter 4: Security Policies Overview The nature of policies What they cover Policy languages The nature of mechanisms Types Secure vs. precise Underlying.
1 Flexible Mandatory Access Control (MAC) in Modern Operating Systems Jeffrey H. Jewell CS 591 December 7, 2009 Jeffrey H. Jewell CS 591 December 7, 2009.

1 Flexible Mandatory Access Control (MAC) in Modern Operating Systems Jeffrey H. Jewell CS 591 December 7, 2009 Jeffrey H. Jewell CS 591 December 7, 2009.
SELinux (Security Enhanced Linux) By: Corey McClurg.

SELinux (Security Enhanced Linux) By: Corey McClurg.
Security-Enhanced Linux Joseph A LaConte CS 522 December 8, 2004.

Security-Enhanced Linux Joseph A LaConte CS 522 December 8, 2004.
Shane Jahnke CS591 December 7, 2009.  What is SELinux?  Changing SELinux Policies  What is SLIDE?  Reference Policy  SLIDE  Installation and Configuration.

Shane Jahnke CS591 December 7,  What is SELinux?  Changing SELinux Policies  What is SLIDE?  Reference Policy  SLIDE  Installation and Configuration.
Authentication and authorization Access control consists of two steps, authentication and authorization. Subject Do operation Reference monitor Object.

Authentication and authorization Access control consists of two steps, authentication and authorization. Subject Do operation Reference monitor Object.
SELinux. 2SELinux Wikipedia says: Security-Enhanced Linux (SELinux) is an implementation of mandatory access control using Linux Security Modules (LSM)

SELinux. 2SELinux Wikipedia says: Security-Enhanced Linux (SELinux) is an implementation of mandatory access control using Linux Security Modules (LSM)
Linux Security.

Linux Security.
ADVANCED LINUX SECURITY. Abstract : Using mandatory access control greatly increases the security of an operating system. SELinux, which is an implementation.

ADVANCED LINUX SECURITY. Abstract : Using mandatory access control greatly increases the security of an operating system. SELinux, which is an implementation.
Implementing SELinux as a Linux Security Module By Stephen Smalley Chris Vance & Wayne Salamon Presentation by: KASHIF HASAN

Implementing SELinux as a Linux Security Module By Stephen Smalley Chris Vance & Wayne Salamon Presentation by: KASHIF HASAN
Security-Enhanced Linux & Linux Security Module The George Washington University CS297 Programming Language & Security YU-HAO HU.

Security-Enhanced Linux & Linux Security Module The George Washington University CS297 Programming Language & Security YU-HAO HU.
Security Enhanced Linux (SELinux)

Security Enhanced Linux (SELinux)
Computer Security & OS Lab. DKU May 26 Younsik Jeong Ph.D. Student.

Computer Security & OS Lab. DKU May 26 Younsik Jeong Ph.D. Student.
Secure Operating Systems

Secure Operating Systems
SELinux US/Fedora/13/html/Security-Enhanced_Linux/

SELinux US/Fedora/13/html/Security-Enhanced_Linux/

Similar presentations

Ads by Google