[DSE-Dev] Bug#740563: Bug#740563: policycoreutils: semodule -d/-e is ridiculously slow

Zack Weinberg zackw at panix.com
Mon Mar 3 17:11:56 UTC 2014


On 2014-03-02 8:14 PM, Laurent Bigonville wrote:
> Le Sun, 02 Mar 2014 17:09:39 -0500,
> Zack Weinberg <zackw at panix.com> a écrit :
>
>> Enabling or disabling any SELinux module with `semodule -e` / `-d`
>> takes approximately one minute, which makes manual module selection an
>> exercise in frustration.  It should take no more than a second or two.
>
> On my machine here it takes around 15s.

I am working with a probably-underprovisioned cloud VM, so I'm not 
surprised it's slower for me.

But I think 15 seconds is still too slow.  It *appears* that the primary 
effect of "semodule -d NAME" is equivalent to "touch 
/etc/selinux/default/modules/active/modules/NAME.pp.disabled", so what 
on earth is it doing that takes more than a few milliseconds?

> Could you check in /etc/selinux/semanage.conf if it contains
> a line with "expand-check=0"?

Yes, it does.

root at REDACTED # grep expand-check /etc/selinux/semanage.conf
# expand-check check neverallow rules when executing all semanage commands.
expand-check=0

zw



More information about the SELinux-devel mailing list