On 2014-03-02 8:14 PM, Laurent Bigonville wrote:
Le Sun, 02 Mar 2014 17:09:39 -0500,
Zack Weinberg <za...@panix.com> a écrit :
Enabling or disabling any SELinux module with `semodule -e` / `-d`
takes approximately one minute, which makes manual module selection an
exercise in frustration. It should take no more than a second or two.
On my machine here it takes around 15s.
I am working with a probably-underprovisioned cloud VM, so I'm not
surprised it's slower for me.
But I think 15 seconds is still too slow. It *appears* that the primary
effect of "semodule -d NAME" is equivalent to "touch
/etc/selinux/default/modules/active/modules/NAME.pp.disabled", so what
on earth is it doing that takes more than a few milliseconds?
Could you check in /etc/selinux/semanage.conf if it contains
a line with "expand-check=0"?
Yes, it does.
root@REDACTED # grep expand-check /etc/selinux/semanage.conf
# expand-check check neverallow rules when executing all semanage commands.
expand-check=0
zw
_______________________________________________
SELinux-devel mailing list
SELinux-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/selinux-devel
