Blog

The cost of improved security on a MySQL server

Security-Enhanced Linux or SELinux is a Linux kernel feature that provides a mechanism for supporting access control security policies. It enables a system administrator to create an extra set of rules that define allowed operations for programs even after the standard controls are checked. In other words, SELinux can help improving system security by restricting access of an application to only a few resources it actually needs, which makes it more difficult for an attacker to gain access to the entire system through exploiting any possible vulnerabilities in the application.

However as rarely anything in life is free, is there any price we have to pay to use SELinux on a MySQL server?

I ran a simple MySQL benchmark first with database working in a system with SELinux enabled (SELINUX=enforcing), and then also with the extra security layer entirely disabled (SELINUX=disabled).

The tests were performed on a 8-core system, running RedHat Enterprise Linux 6.2. The benchmark used Sysbench's read-write OLTP test with data fully fitting into the InnoDB buffer pool.

Here are the results:

selinux-mysql-throughput.png

selinux-mysql-response.png

As it turned out, the difference in MySQL performance was negligible with small concurrency. However at eight threads MySQL lost approximately 20% of the throughput when SELinux was enabled. At sixteen threads it got much worse. Not only the difference continued to grow, but while on a clean system MySQL was able to maintain the throughput and even show some improvements, with the security policies applied the throughput started dropping quite rapidly.

The impact of keeping SELinux enabled seems rather high on servers that can become busy, although it does not mean this security feature should always be avoided. There is always a balance of what is more important.

Often a database server is buried under many layers of other things such firewalls, reverse proxies, web servers, application servers, or various kinds of middleware. In such cases one may not actually need to rely on that extra bit of security in that place. But in cases when there are one or two servers running both web service and database (think a typical Wordpress site), it is unlikely that achieving the absolute top MySQL performance matters all that much, whereas keeping the server(s) safe does.

SELinux is not the only such solution out there, but the most popular as it is included in every Linux kernel. Often it is also enabled by default during the system installation process. Even more reasons to know what its impact on MySQL performance could be.

P.S. Yes, I am aware that running a Wordpress installation or a similar software rarely focuses one's concerns about security on the database server :-)

Take care of your MySQL performance.

MySQL audits available from only €99 per server. Learn More
blog comments powered by Disqus