Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 374991

Summary: We can reply to the FAQ for RSBAC/SELinux in Gentoo Hardened SELinux FAQ
Product: Documentation Reporter: kang <kang>
Component: Project-specific documentationAssignee: The Gentoo Linux Hardened Team <hardened>
Status: RESOLVED FIXED    
Severity: normal CC: selinux
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.gentoo.org/proj/en/hardened/selinux-faq.xml#rsbac
Whiteboard:
Package list:
Runtime testing required: ---

Description kang 2011-07-12 18:28:21 UTC 
Original:

Can I use SELinux and RSBAC?

We don't know. If you try this combination, we would be very interested in its results.


Corrected version:

Can I use SELinux and RSBAC?

You can use SELinux together with RSBAC, however, the RSBAC Framework added to the LSM Framework (used by SELinux) will impact the performance, for little value added. The RSBAC Framework cannot be entirely disabled.
Therefore, it is not recommended. In most cases it makes more sense to use RSBAC without SELinux (or SELinux without RSBAC).

Background:
I am a RSBAC developper and have been handling RSBAC in Gentoo in the past.
I have run SELinux+RSBAC and it does work. Then again I dont use it, nor recommend it. It was just out of curiosity / see if the code was consistent.

Reproducible: Always
Comment 1 Sven Vermeulen 2011-07-13 21:35:55 UTC 
thanks for the information! I'll update the FAQ accordingly
Comment 2 Sven Vermeulen 2011-07-13 21:42:27 UTC 
Is the wording in http://goo.gl/uaaf4#rsbac good enough (I don't mention that RSBAC cannot be entirely disabled, I don't think it is that important since, if you don't want it, you don't ask the question of SELinux + RSBAC ;-) ?
Comment 3 kang 2011-07-13 21:50:38 UTC 
(In reply to comment #2)
> Is the wording in http://goo.gl/uaaf4#rsbac good enough (I don't mention that
> RSBAC cannot be entirely disabled, I don't think it is that important since, if
> you don't want it, you don't ask the question of SELinux + RSBAC ;-) ?

Its fine, however, I would word it in a way that makes it clear its not RSBAC that is slower, both LSM with SELinux and RSBAC impact performance. What you wrote is correct, I just fear people could understand it the wrong way, if we dont make it super clear. I hope thats not too nitpicking :)


Some background info because I felt like it:

They're both quite efficient but still the impact generally goes from 1 to 7% (in my benchs).
When using both we're talking 2 to 14%, which starts to be an issue IMO.
The thing is that LSM and RSBAC put many hooks (often at the same place) so we're checking twice every time.

In fact RSBAC is generally slightly faster as the policy is loaded in ram at boot (single per module file attribute storage) and not on demand. RSBAC then caches file related decisions, while SELinux caches it all in the AVC instead, due to the fact that attributes are stored in xattrs.

For LSM-supported modules, the hook happens only once no matter the number of modules (it does check for each module of course)

RSBAC includes its own "LSM" so likewise, the hook happens only once, no matter the number of RSBAC modules.

Using both will hook twice and the performance impact is larger than just the module check


Ok, i hope I made sense :)
Comment 4 Sven Vermeulen 2011-07-13 22:04:55 UTC 
Sure, this <http://goo.gl/uaaf4#rsbac> better?
Comment 5 kang 2011-07-13 22:09:41 UTC 
looks good to me, thanks!