[DSE-Dev] Bug#740563: Bug#740563: policycoreutils: semodule -d/-e is ridiculously slow

Laurent Bigonville bigon at debian.org
Mon Mar 3 17:24:45 UTC 2014

Le Mon, 03 Mar 2014 12:11:56 -0500,
Zack Weinberg <zackw at panix.com> a écrit :

> On 2014-03-02 8:14 PM, Laurent Bigonville wrote:
> > Le Sun, 02 Mar 2014 17:09:39 -0500,
> > Zack Weinberg <zackw at panix.com> a écrit :
> >
> >> Enabling or disabling any SELinux module with `semodule -e` / `-d`
> >> takes approximately one minute, which makes manual module
> >> selection an exercise in frustration.  It should take no more than
> >> a second or two.
> >
> > On my machine here it takes around 15s.
> I am working with a probably-underprovisioned cloud VM, so I'm not 
> surprised it's slower for me.
> But I think 15 seconds is still too slow.  It *appears* that the
> primary effect of "semodule -d NAME" is equivalent to "touch 
> /etc/selinux/default/modules/active/modules/NAME.pp.disabled", so
> what on earth is it doing that takes more than a few milliseconds?

Well not only, it's also rebuilding the policy file under /etc/selinux
and reloading it in the kernel, you could try to use -N, the policy will
still be rebuilt but not reloaded in the kernel.

Otherwise, you could just create the .disabled files by hand and then
run semodule -B.

> > Could you check in /etc/selinux/semanage.conf if it contains
> > a line with "expand-check=0"?
> Yes, it does.
> root at REDACTED # grep expand-check /etc/selinux/semanage.conf
> # expand-check check neverallow rules when executing all semanage
> commands. expand-check=0

That's correct, without this parameter it might be even longer.

I'm not sure this is a bug.


Laurent Bigonville

More information about the SELinux-devel mailing list