semanage slow (Should I ignore or report this avc denial?)
Zdenek Pytela
pytela at phil.muni.cz
Tue Oct 2 13:21:35 UTC 2012
Daniel J Walsh pise:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 09/27/2012 10:34 AM, Sergio wrote:
> >
> >>>>
> >>>> The policy configuration supports two options:
> >>>>
> >>>> 1. silently deny this: setsebool -P
> >>> vbetool_mmap_zero_ignore on
> >>>>
> >>>> or
> >>>>
> >>>> 2. allow this: setsebool -P mmap_low_allowed on
> >>>>
> >>>>
> >>>>
> >>>
> >>> A better solution is probably
> >>>
> >>> yum remove vbetool
> >>>
> >>> Since most people do not need it.
> >>
> >
> > For the while I went with
> >
> > # setsebool -P mmap_low_allowed on
> >
> > And it's taking quite a while to complete the job. The command is using
> > almost all of my old Athlon CPU for quite some time already.
> >
> > Is this normal?
> >
> > Note: last selinux-policy-targeted update got stuck and I eventually had to
> > stop it and then complete it afterwards (with yum-complete-transaction).
> > Just saying to give a perspective. Maybe I should stop the setsebool
> > process (not doing anything now in case I get an answer)? -- selinux
> > mailing list selinux at lists.fedoraproject.org
> > https://admin.fedoraproject.org/mailman/listinfo/selinux
> >
> >
>
>
> setsebool -P and semanage commands are slow, they are doing a full recompile
> of all policy.
OK, I understand this. But what's the reason to be
semanage boolean -l
much slower than
getsebool -a
No recompiling, just gathering the booleans default state and short summary
in addition to the second command.
--
--Zdenek Pytela, <pytela at phil.muni.cz>
More information about the selinux
mailing list