Re: Proposal of SE-PostgreSQL patches (for CommitFest:Sep)

Robert Haas wrote:
>> Yes, we need '--enable-selinux' to activate all of SE-PostgreSQL features.
>>
>> In addition, these are invoked via security hooks which are declared
>> as inline functions. So, I think it does not give us additional loss of
>> performances when you don't add the compile time option explicitly.
>
> That is good as far as it goes but I assume that if this patch is
> accepted many vendors will build with this feature enabled, and many
> end-users will turn off SELinux but keep the same binaries. It's
> important that those people don't get hosed either.

When we run a binary with this feature on non-SELinux'ed environment,
security hooks simply returns with reference to the flag variable
which shows whether SELinux is available on the host.

> It's also probably worth asking what the performance penalty is when
> you ARE using all the bells and whistles.

Are you saying the performance penalty when full functionalities are enabled?
(The meaning of "bells and whistles" is unclear for me.)

We can show it on the page.22 of my presentation in PGcon2008.
http://www.pgcon.org/2008/schedule/attachments/38_pgcon2008-sepostgresql.pdf

It shows about 10% of penalty in maximum in pgbench, and larger database
tend to have relatively less performance penalty.

Thanks,
--
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai(at)ak(dot)jp(dot)nec(dot)com>