-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/04/2012 10:38 AM, Pádraig Brady wrote: > On 10/08/2012 09:24 PM, Daniel J Walsh wrote: >> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >> >> One of if not the most common problem people hit with SELinux is the mv >> command, which maintains the file context of the source destination. >> >> mv /home/dwalsh/index.html /var/www/html/ >> >> This blows up on everybody and then the users have no idea why. >> >> I was thinking about adding -Z (--restorecon) to mv and having it >> basically do a internal restorecon on the destination. >> >> Then we could suggest people who get burnt by this to: >> >> alias mv="mv -Z" >> >> In Fedora 18 we have greatly enhanced matchpathcon, by pre-compiling the >> regex, so there should be very little slow down in doing this. > > A question on performance. So there was a large matchpathcon() performance > issue in Fedora 11 time, where we had a 20x slow down if > matchpathcon_init_prefix() wasn't called > https://bugzilla.redhat.com/show_bug.cgi?id=479502#c24 > That should be fixed:
In Fedora 18 we have greatly enhanced matchpathcon, by pre-compiling the regex, so there should be very little slow down in doing this. We have seen a 40x speed up using the new version of matchpathcon. > Does calling matchpathcon_init_prefix() still provide benefit on Fedora > 18? More importantly, since the new selinux::restorecon_private() doesn't > call matchpathcon_init_prefix(), will it have the large performance issues > on Fedora <= 17 and other SELinux supporting platforms? > Yes, if you have a tight loop of mv -Z X Y, then you would take a hit on each invocation. Since this is optional, I do not see this as a problem. The install version was not optional, so a "make install" was exhibiting a huge overhead. Basically almost .33/sec slow down. As of Fedora 18, there should be very limited overhead so this should not be a problem. matchpathcon_init_prefix theoretically would still give you a speed up, but I don't believe it is measurable with the new libraries. > Not a huge issue since install(1) enables setdefaultfilecon() by default, > whereas the new proposal would only enable when -Z is specified. Yes I missed this, I though install had disabled this functionality altogether. > That's an inconsistency in the patch in this thread actually. install -Z > runs the new restorecon(), while also running the old setdefaultfilecon(). > Seems like we may need to drop the new install -Z code for now, and > possible in future merge restorecon() and setdefaultfilecon() Yes I agree. This was my mistake > > cheers, Pádraig. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEARECAAYFAlC/ob8ACgkQrlYvE4MpobNZRQCfa0hlo19AOY8IGnRARqpQfHZO gbcAnRX9S8YD+TPdXpKZK/kVct5HqUIm =HU0c -----END PGP SIGNATURE-----
