[DSE-Dev] Bug#740563: Bug#740563: policycoreutils: semodule -d/-e is ridiculously slow
Zack Weinberg
zackw at panix.com
Mon Mar 3 17:11:56 UTC 2014
On 2014-03-02 8:14 PM, Laurent Bigonville wrote:
> Le Sun, 02 Mar 2014 17:09:39 -0500,
> Zack Weinberg <zackw at panix.com> a écrit :
>
>> Enabling or disabling any SELinux module with `semodule -e` / `-d`
>> takes approximately one minute, which makes manual module selection an
>> exercise in frustration. It should take no more than a second or two.
>
> On my machine here it takes around 15s.
I am working with a probably-underprovisioned cloud VM, so I'm not
surprised it's slower for me.
But I think 15 seconds is still too slow. It *appears* that the primary
effect of "semodule -d NAME" is equivalent to "touch
/etc/selinux/default/modules/active/modules/NAME.pp.disabled", so what
on earth is it doing that takes more than a few milliseconds?
> Could you check in /etc/selinux/semanage.conf if it contains
> a line with "expand-check=0"?
Yes, it does.
root at REDACTED # grep expand-check /etc/selinux/semanage.conf
# expand-check check neverallow rules when executing all semanage commands.
expand-check=0
zw
More information about the SELinux-devel
mailing list