Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Fedora SELinux Support (http://www.linux-archive.org/fedora-selinux-support/)
-   -   semanage slow (Should I ignore or report this avc denial?) (http://www.linux-archive.org/fedora-selinux-support/709019-semanage-slow-should-i-ignore-report-avc-denial.html)

Zdenek Pytela 10-02-2012 01:21 PM

semanage slow (Should I ignore or report this avc denial?)
 
Daniel J Walsh pise:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 09/27/2012 10:34 AM, Sergio wrote:
> >
> >>>>
> >>>> The policy configuration supports two options:
> >>>>
> >>>> 1. silently deny this: setsebool -P
> >>> vbetool_mmap_zero_ignore on
> >>>>
> >>>> or
> >>>>
> >>>> 2. allow this: setsebool -P mmap_low_allowed on
> >>>>
> >>>>
> >>>>
> >>>
> >>> A better solution is probably
> >>>
> >>> yum remove vbetool
> >>>
> >>> Since most people do not need it.
> >>
> >
> > For the while I went with
> >
> > # setsebool -P mmap_low_allowed on
> >
> > And it's taking quite a while to complete the job. The command is using
> > almost all of my old Athlon CPU for quite some time already.
> >
> > Is this normal?
> >
> > Note: last selinux-policy-targeted update got stuck and I eventually had to
> > stop it and then complete it afterwards (with yum-complete-transaction).
> > Just saying to give a perspective. Maybe I should stop the setsebool
> > process (not doing anything now in case I get an answer)? -- selinux
> > mailing list selinux@lists.fedoraproject.org
> > https://admin.fedoraproject.org/mailman/listinfo/selinux
> >
> >
>
>
> setsebool -P and semanage commands are slow, they are doing a full recompile
> of all policy.
OK, I understand this. But what's the reason to be
semanage boolean -l
much slower than
getsebool -a
No recompiling, just gathering the booleans default state and short summary
in addition to the second command.

--

--Zdenek Pytela, <pytela@phil.muni.cz>

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Daniel J Walsh 10-02-2012 06:16 PM

semanage slow (Should I ignore or report this avc denial?)
 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/02/2012 09:21 AM, Zdenek Pytela wrote:
> Daniel J Walsh pise:
>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>>
>> On 09/27/2012 10:34 AM, Sergio wrote:
>>>
>>>>>>
>>>>>> The policy configuration supports two options:
>>>>>>
>>>>>> 1. silently deny this: setsebool -P
>>>>> vbetool_mmap_zero_ignore on
>>>>>>
>>>>>> or
>>>>>>
>>>>>> 2. allow this: setsebool -P mmap_low_allowed on
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>> A better solution is probably
>>>>>
>>>>> yum remove vbetool
>>>>>
>>>>> Since most people do not need it.
>>>>
>>>
>>> For the while I went with
>>>
>>> # setsebool -P mmap_low_allowed on
>>>
>>> And it's taking quite a while to complete the job. The command is
>>> using almost all of my old Athlon CPU for quite some time already.
>>>
>>> Is this normal?
>>>
>>> Note: last selinux-policy-targeted update got stuck and I eventually
>>> had to stop it and then complete it afterwards (with
>>> yum-complete-transaction). Just saying to give a perspective. Maybe I
>>> should stop the setsebool process (not doing anything now in case I get
>>> an answer)? -- selinux mailing list selinux@lists.fedoraproject.org
>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>
>>>
>>
>>
>> setsebool -P and semanage commands are slow, they are doing a full
>> recompile of all policy.
> OK, I understand this. But what's the reason to be semanage boolean -l much
> slower than getsebool -a No recompiling, just gathering the booleans
> default state and short summary in addition to the second command.
>
Yes this is because semanage is doing a lot of initialization stuff that could
probably be avoided if we were a little smarter.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlBrL3gACgkQrlYvE4MpobNwwwCbBjKPyd+Ssl omlyJJHj3xggJv
toYAnixNTm/kNynaC5fDi7QBGN8P5Qjt
=vErS
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux


All times are GMT. The time now is 10:47 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.