On Mon, Mar 3, 2014 at 12:24 PM, Laurent Bigonville wrote:
> Le Mon, 03 Mar 2014 12:11:56 -0500,
> Zack Weinberg a écrit :
>> But I think 15 seconds is still too slow. It *appears* that the
>> primary effect of "semodule -d NAME" is equivalent to "touch
>> /etc/selinux/default/modules/active/modules/NAME.pp.disabled", so
>> what on earth is it doing that takes more than a few milliseconds?
>
> Well not only, it's also rebuilding the policy file under /etc/selinux
> and reloading it in the kernel, you could try to use -N, the policy will
> still be rebuilt but not reloaded in the kernel.
>
> Otherwise, you could just create the .disabled files by hand and then
> run semodule -B.
semodule -N makes no real difference. Starting from an installation
with nearly everything disabled:
# time semodule -e mongodb; \
time semodule -d mongodb; \
time semodule -N -e mongodb; \
time semodule -N -d mongodb
real0m47.702s
user0m41.455s
sys0m4.236s
real0m45.268s
user0m41.943s
sys0m2.216s
real0m55.563s
user0m53.191s
sys0m2.344s
real0m43.305s
user0m41.851s
sys0m1.448s
(mongodb picked more or less at random as a leaf module).
> I'm not sure this is a bug.
Well, I would ask that you consider two changes. Short term, warn
people in the documentation that semodule -e/-d can be very slow and,
for bulk operations, suggest manually creating or removing .disabled
files and then running semodule -B. Long term, work on making the
process of rebuilding the policy more efficient.
zw
___
SELinux-devel mailing list
SELinux-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/selinux-devel