We have a server with the Alma Linux 9.3 OS.
By default (as well as all current RHEL-like OSs) it has fapolicyd
enabled.
There is also an application server (WildFly/JBoss/Java) running on that server.
The deployed application processes some data files (submited by users) and it works fine in the standard situation.
However currently, there is a period of time when the application needs to process 1000-ish files per minute.
In such a situation, the fapolicyd
overhead is utilising ~15% of CPU which we evaluated as too much.
I was unable to find anyone with a similar problem on the internet.
I'm also suprprised there is no fapolicyd
tag here on ServerFault.
Questions:
- Is there a way to optimize
fapolicyd
configuration so that it could decide faster whether it allows or denies a file access?- One thing that comes to my mind is the ordering of custom rules.
- Maybe using wildcard vs. using literal rules.
- Any hints how to evaluate how much important
fapolicyd
is for us?- Whether we can just turn it off or whether it is really a good idea to have it running despite the huge overhead.
- Whether other distributions also use something like
fapolicyd
or whether it is "just additional security" andSELinux
is enough. (I know they are not the same.)
Sources: