374991 – We can reply to the FAQ for RSBAC/SELinux in Gentoo Hardened SELinux FAQ

Bug 374991 - We can reply to the FAQ for RSBAC/SELinux in Gentoo Hardened SELinux FAQ

Summary: We can reply to the FAQ for RSBAC/SELinux in Gentoo Hardened SELinux FAQ

Status:	RESOLVED FIXED

Alias:	None

Product:	Documentation
Classification:	Unclassified
Component:	Project-specific documentation (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	The Gentoo Linux Hardened Team

URL:	http://www.gentoo.org/proj/en/hardene...
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2011-07-12 18:28 UTC by kang
Modified:	2011-07-22 10:47 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description kang 2011-07-12 18:28:21 UTC

Original:

Can I use SELinux and RSBAC?

We don't know. If you try this combination, we would be very interested in its results.


Corrected version:

Can I use SELinux and RSBAC?

You can use SELinux together with RSBAC, however, the RSBAC Framework added to the LSM Framework (used by SELinux) will impact the performance, for little value added. The RSBAC Framework cannot be entirely disabled.
Therefore, it is not recommended. In most cases it makes more sense to use RSBAC without SELinux (or SELinux without RSBAC).

Background:
I am a RSBAC developper and have been handling RSBAC in Gentoo in the past.
I have run SELinux+RSBAC and it does work. Then again I dont use it, nor recommend it. It was just out of curiosity / see if the code was consistent.

Reproducible: Always

Comment 1 Sven Vermeulen 2011-07-13 21:35:55 UTC

thanks for the information! I'll update the FAQ accordingly

Comment 2 Sven Vermeulen 2011-07-13 21:42:27 UTC

Is the wording in http://goo.gl/uaaf4#rsbac good enough (I don't mention that RSBAC cannot be entirely disabled, I don't think it is that important since, if you don't want it, you don't ask the question of SELinux + RSBAC ;-) ?

Comment 3 kang 2011-07-13 21:50:38 UTC

(In reply to comment #2)
> Is the wording in http://goo.gl/uaaf4#rsbac good enough (I don't mention that
> RSBAC cannot be entirely disabled, I don't think it is that important since, if
> you don't want it, you don't ask the question of SELinux + RSBAC ;-) ?

Its fine, however, I would word it in a way that makes it clear its not RSBAC that is slower, both LSM with SELinux and RSBAC impact performance. What you wrote is correct, I just fear people could understand it the wrong way, if we dont make it super clear. I hope thats not too nitpicking :)


Some background info because I felt like it:

They're both quite efficient but still the impact generally goes from 1 to 7% (in my benchs).
When using both we're talking 2 to 14%, which starts to be an issue IMO.
The thing is that LSM and RSBAC put many hooks (often at the same place) so we're checking twice every time.

In fact RSBAC is generally slightly faster as the policy is loaded in ram at boot (single per module file attribute storage) and not on demand. RSBAC then caches file related decisions, while SELinux caches it all in the AVC instead, due to the fact that attributes are stored in xattrs.

For LSM-supported modules, the hook happens only once no matter the number of modules (it does check for each module of course)

RSBAC includes its own "LSM" so likewise, the hook happens only once, no matter the number of RSBAC modules.

Using both will hook twice and the performance impact is larger than just the module check


Ok, i hope I made sense :)

Comment 4 Sven Vermeulen 2011-07-13 22:04:55 UTC

Sure, this <http://goo.gl/uaaf4#rsbac> better?

Comment 5 kang 2011-07-13 22:09:41 UTC

looks good to me, thanks!