[DSE-Dev] Bug#740563: Fwd: Bug#740563: policycoreutils: semodule -d/-e is ridiculously slow
zackw at panix.com
Mon Mar 3 19:38:41 UTC 2014
On Mon, Mar 3, 2014 at 12:24 PM, Laurent Bigonville <bigon at debian.org> wrote:
> Le Mon, 03 Mar 2014 12:11:56 -0500,
> Zack Weinberg <zackw at panix.com> a écrit :
>> But I think 15 seconds is still too slow. It *appears* that the
>> primary effect of "semodule -d NAME" is equivalent to "touch
>> /etc/selinux/default/modules/active/modules/NAME.pp.disabled", so
>> what on earth is it doing that takes more than a few milliseconds?
> Well not only, it's also rebuilding the policy file under /etc/selinux
> and reloading it in the kernel, you could try to use -N, the policy will
> still be rebuilt but not reloaded in the kernel.
> Otherwise, you could just create the .disabled files by hand and then
> run semodule -B.
semodule -N makes no real difference. Starting from an installation
with nearly everything disabled:
# time semodule -e mongodb; \
time semodule -d mongodb; \
time semodule -N -e mongodb; \
time semodule -N -d mongodb
(mongodb picked more or less at random as a leaf module).
> I'm not sure this is a bug.
Well, I would ask that you consider two changes. Short term, warn
people in the documentation that semodule -e/-d can be very slow and,
for bulk operations, suggest manually creating or removing .disabled
files and then running semodule -B. Long term, work on making the
process of rebuilding the policy more efficient.
More information about the SELinux-devel