I have enabled SElinux in enforcing mode on Amazon Linux and see that the time taken for file access (read/write/update) has increased by an average of 2-4 seconds. The source process is Salt and the file access is related to the file.managed state of Salt https://docs.saltstack.com/en/latest/ref/states/all/salt.states.file.html#salt.states.file.managed There are no corresponding denials in the audit.log file. As a brute-force approach, we tried adding allow rules for all denials in the log using audit2allow but could not improve the time taken to access files.
Is SElinux known to cause a performance hit in filesystem access? Are there known processes on a linux system which affect time to access files?
Best Answer
SELinux is routinely enforcing on systems that do more IOPS than yours. Also, IOs regularly taking multiple seconds is intolerably poor performance, no matter what storage system or additional overhead.
Something else is happening. Use Linux's rich performance tools to reveal it. Some starting ideas:
biolatency
.fio
, or justtouch
(Some of these require recent kernels for bpf and other features. I don't know how good Amazon Linux's tooling is for all of these.)