[DSE-Dev] Bug#740563: Fwd: Bug#740563: policycoreutils: semodule -d/-e is ridiculously slow

Zack Weinberg zackw at panix.com
Mon Mar 3 19:38:41 UTC 2014

On Mon, Mar 3, 2014 at 12:24 PM, Laurent Bigonville <bigon at debian.org> wrote:
> Le Mon, 03 Mar 2014 12:11:56 -0500,
> Zack Weinberg <zackw at panix.com> a écrit :
>> But I think 15 seconds is still too slow.  It *appears* that the
>> primary effect of "semodule -d NAME" is equivalent to "touch
>> /etc/selinux/default/modules/active/modules/NAME.pp.disabled", so
>> what on earth is it doing that takes more than a few milliseconds?
> Well not only, it's also rebuilding the policy file under /etc/selinux
> and reloading it in the kernel, you could try to use -N, the policy will
> still be rebuilt but not reloaded in the kernel.
> Otherwise, you could just create the .disabled files by hand and then
> run semodule -B.

semodule -N makes no real difference.  Starting from an installation
with nearly everything disabled:

# time semodule -e mongodb; \
  time semodule -d mongodb; \
  time semodule -N -e mongodb; \
  time semodule -N -d mongodb

real    0m47.702s
user    0m41.455s
sys    0m4.236s

real    0m45.268s
user    0m41.943s
sys    0m2.216s

real    0m55.563s
user    0m53.191s
sys    0m2.344s

real    0m43.305s
user    0m41.851s
sys    0m1.448s

(mongodb picked more or less at random as a leaf module).

> I'm not sure this is a bug.

Well, I would ask that you consider two changes.  Short term, warn
people in the documentation that semodule -e/-d can be very slow and,
for bulk operations, suggest manually creating or removing .disabled
files and then running semodule -B.  Long term, work on making the
process of rebuilding the policy more efficient.


More information about the SELinux-devel mailing list