[DSE-Dev] Bug#740563: Bug#740563: policycoreutils: semodule -d/-e is ridiculously slow
Laurent Bigonville
bigon at debian.org
Mon Mar 3 17:24:45 UTC 2014
Le Mon, 03 Mar 2014 12:11:56 -0500,
Zack Weinberg <zackw at panix.com> a écrit :
> On 2014-03-02 8:14 PM, Laurent Bigonville wrote:
> > Le Sun, 02 Mar 2014 17:09:39 -0500,
> > Zack Weinberg <zackw at panix.com> a écrit :
> >
> >> Enabling or disabling any SELinux module with `semodule -e` / `-d`
> >> takes approximately one minute, which makes manual module
> >> selection an exercise in frustration. It should take no more than
> >> a second or two.
> >
> > On my machine here it takes around 15s.
>
> I am working with a probably-underprovisioned cloud VM, so I'm not
> surprised it's slower for me.
>
> But I think 15 seconds is still too slow. It *appears* that the
> primary effect of "semodule -d NAME" is equivalent to "touch
> /etc/selinux/default/modules/active/modules/NAME.pp.disabled", so
> what on earth is it doing that takes more than a few milliseconds?
Well not only, it's also rebuilding the policy file under /etc/selinux
and reloading it in the kernel, you could try to use -N, the policy will
still be rebuilt but not reloaded in the kernel.
Otherwise, you could just create the .disabled files by hand and then
run semodule -B.
>
> > Could you check in /etc/selinux/semanage.conf if it contains
> > a line with "expand-check=0"?
>
> Yes, it does.
>
> root at REDACTED # grep expand-check /etc/selinux/semanage.conf
> # expand-check check neverallow rules when executing all semanage
> commands. expand-check=0
That's correct, without this parameter it might be even longer.
I'm not sure this is a bug.
Cheers,
Laurent Bigonville
More information about the SELinux-devel
mailing list