SElinux Enforcing Mode – Does It Cause File Access Delays?

amazon-linuxselinux

I have enabled SElinux in enforcing mode on Amazon Linux and see that the time taken for file access (read/write/update) has increased by an average of 2-4 seconds. The source process is Salt and the file access is related to the file.managed state of Salt https://docs.saltstack.com/en/latest/ref/states/all/salt.states.file.html#salt.states.file.managed There are no corresponding denials in the audit.log file. As a brute-force approach, we tried adding allow rules for all denials in the log using audit2allow but could not improve the time taken to access files.

Is SElinux known to cause a performance hit in filesystem access? Are there known processes on a linux system which affect time to access files?

Best Answer

SELinux is routinely enforcing on systems that do more IOPS than yours. Also, IOs regularly taking multiple seconds is intolerably poor performance, no matter what storage system or additional overhead.

Something else is happening. Use Linux's rich performance tools to reveal it. Some starting ideas:

  • Measure the utilization of all performance resources on the host. CPU, disk bandwith, disk IOPS, memory, and so on.
  • Get a flame graph of what is on CPU when this thing is slow.
  • Use a programming language specific profiler on the problem lines of code. In this case, salt's file functions.
  • Get the block IO latency distribution such as with biolatency.
  • Benchmark raw IOs on this storage system using tools like fio, or just touch

(Some of these require recent kernels for bpf and other features. I don't know how good Amazon Linux's tooling is for all of these.)

Related Topic