Wednesday, October 5, 2011

Big SELinux improvements to land on Fedora 16

Fedora is a distribution that I am slowly appreciating more and more as I keep using it. Sure, it´s not as polished for home users as other alternatives out there, but it is a great product nonetheless, and once one gets confortable using it, it is a solid and reliable partner. Having said so, I still believe there are significant areas of improvement, such as the already mentioned lack of polish for home users, but also other things, such as performance levels that are not up there with its competition. I am excited to see this performance piece addressed prior to the Fedora 16 release, including promising enhancements in systemd, the complete removal of HAL, but probably most importantly, some much needed improvements in SELinux.

Testing on those improvements has thrown impressive results with significant cuts on boot times as well as applications start up times (for those that rely or interact with SELinux, that is). Dan Walsh has put together an ARTICLE on this, which I recommend reading in full in case you want to get better understanding of what this changes are and what their impact may be. If you are only interested in a high level summary including those impressive figures, though, here it is:


Fedora 15 machine SELinux Policy size (compare the allow and dontaudit values):

$ seinfo
Statistics for policy file: /etc/selinux/targeted/policy/policy.24
Policy Version & Type: v.24 (binary, mls)
Allow: 282444
Dontaudit: 184516

Fedora 16 machine SELinux Policy size:

$ seinfo
Statistics for policy file: /etc/selinux/targeted/policy/policy.26
Policy Version & Type: v.26 (binary, mls)
Allow: 88242
Dontaudit: 11302


Boot times showed similar improvements. Before the change was implemented:

Jul 28 06:39:29 tlondon systemd[1]: Startup finished in 3s 336ms 755us (kernel) + 11s 625ms 240us (initrd) + 28s 189ms 914us (userspace) = 43s 151ms 909us.

Now with the change in place:

Jul 29 06:00:41 tlondon systemd[1]: Startup finished in 1s 844ms 542us (kernel) + 4s 999ms 977us (initrd) + 29s 239ms 766us (userspace) = 36s 84ms 285us.

6.5 seconds faster!.


Finally, another interesting piece is a much reduced use of resources. Below you can see the Kernel memory consumption in a Red Hat 6 machine (without these improvements):


# du -s /etc/selinux/targeted/policy/policy.24
6004 /etc/selinux/targeted/policy/policy.24

Now, Fedora 16 with the changes implemented.

# du -s /etc/selinux/targeted/policy/policy.26
2156 /etc/selinux/targeted/policy/policy.26


If these results remain consistent when the final version is released, and if they sit on top of the improvements brought by systemd changes and HAL removal, I think we are in for the fastest Fedora experience ever!

Bring it on already!

1 comment:

  1. Fedora should ALSO user friendly like Mint. All small-important-things should be available instantly especially if it is free. But lets face it being unstable for some reasons and tailored for experts - come on.. being on top 5 in distrowatch is totally not ok. Fedora should be a rivalry of mint not opensuse.