Issue #1702 has been updated by seanmil.
It would be trivial to adjust the SELinux supprt to only active on Enforced mode, but from an SELinux support this is not correct behavior. Programs should still be actively managing file labels properly. It is possible that the lack of managing file labels could result in a system which doesn't start properly if ever switched to enforcing mode. As far as running restorecon at the end: I had pondered that initially as an early approach and that would be correct if the only goal was to restore files to their default label. The new SELinux patches allow people to label files with labels other then the system defaults available via matchpathcon/restorecon. What I am hoping is to find a way to convince Puppet that it only needs to call stat and matchpathcon once per file, instead of once for each label component. I have a couple of ideas on this I hope to work on this weekend. ---------------------------------------- Bug #1702: SELinux code inefficiently makes syscalls to stat and matchpathcon http://projects.reductivelabs.com/issues/show/1702 Author: ohookins Status: Accepted Priority: Normal Assigned to: seanmil Category: file Target version: 0.24.7 Complexity: Unknown Affected version: 0.24.6 Keywords: <pre> debug: /File[/var/lib/puppet/clientbucket]/seluser: Executing '/usr/sbin/matchpathcon /var/lib/puppet/clientbucket' debug: /File[/var/lib/puppet/clientbucket]/seluser: Found seluser default 'system_u' for /var/lib/puppet/clientbucket debug: /File[/var/lib/puppet/clientbucket]/selrole: Executing '/usr/sbin/matchpathcon /var/lib/puppet/clientbucket' debug: /File[/var/lib/puppet/clientbucket]/selrole: Found selrole default 'object_r' for /var/lib/puppet/clientbucket debug: /File[/var/lib/puppet/clientbucket]/seltype: Executing '/usr/sbin/matchpathcon /var/lib/puppet/clientbucket' debug: /File[/var/lib/puppet/clientbucket]/seltype: Found seltype default 'var_lib_t' for /var/lib/puppet/clientbucket debug: /File[/var/lib/puppet/clientbucket]/selrange: Executing '/usr/sbin/matchpathcon /var/lib/puppet/clientbucket' debug: /File[/var/lib/puppet/clientbucket]/selrange: Found selrange default '' for /var/lib/puppet/clientbucket debug: /File[/var/lib/puppet/clientbucket]/seluser: Executing '/usr/bin/stat -c %C /var/lib/puppet/clientbucket' debug: /File[/var/lib/puppet/clientbucket]/selrole: Executing '/usr/bin/stat -c %C /var/lib/puppet/clientbucket' debug: /File[/var/lib/puppet/clientbucket]/seltype: Executing '/usr/bin/stat -c %C /var/lib/puppet/clientbucket' </pre> The SELinux user, role and type is outputted from one invocation of either stat or matchpathcon: <pre> [EMAIL PROTECTED] ~]# /usr/bin/stat -c %C /var/lib/puppet/clientbucket system_u:object_r:var_lib_t [EMAIL PROTECTED] ~]# /usr/sbin/matchpathcon /var/lib/puppet/clientbucket /var/lib/puppet/clientbucket system_u:object_r:var_lib_t </pre> When the number of files that puppet has to touch grows significantly, the amount of syscalls it is making on behalf of SELinux operations is growing a lot more (albeit, only linearly). These are only two examples but I think given the number of larger installations it is wise to think about the performance impact of running Puppet. I have noticed a significant increase in load on my clients after upgrading to 0.24.6 which has a lot more SELinux support. ---------------------------------------- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://reductivelabs.com/redmine/my/account --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en -~----------~----~----~----~------~----~------~--~---
