selinux December 2005

selinux@lists.fedoraproject.org

48 participants
63 discussions

by Tom London

There are reports in fedora-test about the 2.X policy slowing down udev. (Appears that folks are comparing booting with selinxux=1 with selinux=0). I have to admit that udev is running slower (targeted/enforcing). Any validity to this? Known issue? How to track down? tom -- Tom London

17 years, 3 months

6
18
0 / 0

'install' command goes "oink!" after recent updates.

by Valdis.Kletnieks＠vt.edu

coreutils-5.93-4 libsepol-1.9.41-1 libsemanage-1.3.59-1 libsetrans-0.1.8-1 Not sure if this is a coreutils bug or an selinux bug. Recently, I noticed that a 'make install' that called /usr/bin/install ran *very* slowly: % time cp hello.c /tmp/hello.c real 0m0.040s user 0m0.008s sys 0m0.016s % time /usr/bin/install -c -m 644 hello.c /tmp/hello.c real 0m4.641s user 0m1.608s sys 0m0.388s Literally 100 times slower. Gaak. A bit of playing with strace showed why: strace install -c -m 644 hello.c /tmp/hello.c 7,745 system calls. Of those, only 297 were *not* part of the 1,862 times that 'install' did an open/write/read/close of /selinux/context - once for every single file context type it found, whether or not it had anything to do with the file that was actually being installed. This is a show-stopper guys - when something like this bloats a 'make install' from something that takes 2 minute into something that you don't bother checking until you get back from lunch, it *will* add dramatically to the "security takes waaaay too much resources" bandwagon. Almost-full strace follows. execve("/usr/bin/install", ["install", "-c", "-m", "644", "hello.c", "/tmp/hello.c"], [/* 56 vars */]) = 0 brk(0) = 0x805a000 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f16000 access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory) open("/etc/ld.so.cache", O_RDONLY) = 3 fstat64(3, {st_mode=S_IFREG|0644, st_size=72776, ...}) = 0 mmap2(NULL, 72776, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7f04000 close(3) = 0 open("/usr/lib/libacl.so.1", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\320\23"..., 512) = 512 fstat64(3, {st_mode=S_IFREG|0755, st_size=24996, ...}) = 0 mmap2(NULL, 27832, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb7efd000 mmap2(0xb7f03000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x5) = 0xb7f03000 close(3) = 0 open("/lib/libselinux.so.1", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0`2\0\000"..., 512) = 512 fstat64(3, {st_mode=S_IFREG|0755, st_size=83848, ...}) = 0 mmap2(NULL, 85008, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb7ee8000 mmap2(0xb7efc000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x14) = 0xb7efc000 close(3) = 0 open("/lib/libc.so.6", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0ZW\1\000"..., 512) = 512 fstat64(3, {st_mode=S_IFREG|0755, st_size=1460028, ...}) = 0 mmap2(NULL, 1227740, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb7dbc000 mmap2(0xb7ee2000, 16384, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x125) = 0xb7ee2000 mmap2(0xb7ee6000, 7132, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xb7ee6000 close(3) = 0 open("/usr/lib/libattr.so.1", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\220\v\0"..., 512) = 512 fstat64(3, {st_mode=S_IFREG|0755, st_size=32990, ...}) = 0 mmap2(NULL, 15376, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb7db8000 mmap2(0xb7dbb000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2) = 0xb7dbb000 close(3) = 0 open("/lib/libdl.so.2", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\0\f\0\000"..., 512) = 512 fstat64(3, {st_mode=S_IFREG|0755, st_size=13892, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7db7000 mmap2(NULL, 12408, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb7db3000 mmap2(0xb7db5000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1) = 0xb7db5000 close(3) = 0 open("/lib/libsepol.so.1", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\200#\0"..., 512) = 512 fstat64(3, {st_mode=S_IFREG|0755, st_size=204168, ...}) = 0 mmap2(NULL, 249380, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb7d76000 mmap2(0xb7da8000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x31) = 0xb7da8000 mmap2(0xb7da9000, 40484, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xb7da9000 close(3) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7d75000 set_thread_area({entry_number:-1 -> 6, base_addr:0xb7d756b0, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0 mprotect(0xb7db5000, 4096, PROT_READ) = 0 mprotect(0xb7ee2000, 8192, PROT_READ) = 0 mprotect(0xb7f30000, 4096, PROT_READ) = 0 munmap(0xb7f04000, 72776) = 0 access("/etc/selinux/", F_OK) = 0 brk(0) = 0x805a000 brk(0x807b000) = 0x807b000 open("/etc/selinux/config", O_RDONLY|O_LARGEFILE) = 3 fstat64(3, {st_mode=S_IFREG|0644, st_size=71, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f15000 read(3, "# Stray comment\nSELINUX=permissi"..., 4096) = 71 read(3, "", 4096) = 0 close(3) = 0 munmap(0xb7f15000, 4096) = 0 open("/proc/mounts", O_RDONLY|O_LARGEFILE) = 3 fstat64(3, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f15000 read(3, "rootfs / rootfs rw 0 0\n/dev/root"..., 1024) = 1024 close(3) = 0 munmap(0xb7f15000, 4096) = 0 open("/etc/ld.so.cache", O_RDONLY) = 3 fstat64(3, {st_mode=S_IFREG|0644, st_size=72776, ...}) = 0 mmap2(NULL, 72776, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7f04000 close(3) = 0 open("/lib/libsetrans.so.0", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0@\n\0\000"..., 512) = 512 fstat64(3, {st_mode=S_IFREG|0755, st_size=6804, ...}) = 0 mmap2(NULL, 9680, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb7d72000 mmap2(0xb7d74000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1) = 0xb7d74000 close(3) = 0 munmap(0xb7f04000, 72776) = 0 open("/selinux/mls", O_RDONLY|O_LARGEFILE) = 3 read(3, "1", 19) = 1 close(3) = 0 open("/etc/selinux/strict/setrans.conf", O_RDONLY|O_LARGEFILE) = 3 fstat64(3, {st_mode=S_IFREG|0644, st_size=594, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f15000 read(3, "#\n# Multi-Category Security tran"..., 4096) = 594 read(3, "", 4096) = 0 close(3) = 0 munmap(0xb7f15000, 4096) = 0 open("/proc/filesystems", O_RDONLY|O_LARGEFILE) = 3 read(3, "nodev\tsysfs\nnodev\trootfs\nnodev\tb"..., 4095) = 305 open("/proc/self/attr/current", O_RDONLY|O_LARGEFILE) = 4 read(4, "valdis:staff_r:staff_t:s0-s0:c0."..., 4095) = 37 close(4) = 0 close(3) = 0 open("/usr/lib/locale/locale-archive", O_RDONLY|O_LARGEFILE) = 3 fstat64(3, {st_mode=S_IFREG|0644, st_size=54054656, ...}) = 0 mmap2(NULL, 2097152, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7b72000 mmap2(NULL, 204800, PROT_READ, MAP_PRIVATE, 3, 0x121f) = 0xb7b40000 mmap2(NULL, 4096, PROT_READ, MAP_PRIVATE, 3, 0x2b89) = 0xb7b3f000 close(3) = 0 geteuid32() = 967 umask(0) = 022 stat64("/tmp/hello.c", {st_mode=S_IFREG|0644, st_size=35, ...}) = 0 stat64("hello.c", {st_mode=S_IFREG|0664, st_size=35, ...}) = 0 stat64("/tmp/hello.c", {st_mode=S_IFREG|0644, st_size=35, ...}) = 0 unlink("/tmp/hello.c") = 0 open("hello.c", O_RDONLY|O_LARGEFILE) = 3 fstat64(3, {st_mode=S_IFREG|0664, st_size=35, ...}) = 0 open("/tmp/hello.c", O_WRONLY|O_CREAT|O_LARGEFILE, 0100664) = 4 fstat64(4, {st_mode=S_IFREG|0664, st_size=0, ...}) = 0 fstat64(3, {st_mode=S_IFREG|0664, st_size=35, ...}) = 0 read(3, "main() {printf(\"Hello world!\\n\")"..., 4096) = 35 write(4, "main() {printf(\"Hello world!\\n\")"..., 35) = 35 read(3, "", 4096) = 0 close(4) = 0 close(3) = 0 setxattr("/tmp/hello.c", "system.posix_acl_access", "\x02\x00\x00\x00\x01\x00\x06\x00\xff\xff\xff\xff\x04\x00\x00\x00\xff\xff\xff\xff \x00\x00\x00\xff\xff\xff\xff", 28, 0) = -1 EOPNOTSUPP (Operation not supported) chmod("/tmp/hello.c", 0600) = 0 chown32("/tmp/hello.c", -1, -1) = 0 chmod("/tmp/hello.c", 0644) = 0 lstat64("/tmp/hello.c", {st_mode=S_IFREG|0644, st_size=35, ...}) = 0 open("/selinux/mls", O_RDONLY|O_LARGEFILE) = 3 read(3, "1", 19) = 1 close(3) = 0 open("/etc/selinux/strict/contexts/files/file_contexts", O_RDONLY|O_LARGEFILE) = 3 open("/etc/selinux/strict/contexts/files/file_contexts.homedirs", O_RDONLY|O_LARGEFILE) = 4 open("/etc/selinux/strict/contexts/files/file_contexts.local", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory) fstat64(3, {st_mode=S_IFREG|0644, st_size=114044, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7b3e000 read(3, "# Distro-specific customizations"..., 4096) = 4096 read(3, "b[^/]*\\.so(\\.[^/]*)* --\tsystem_u"..., 4096) = 4096 read(3, "ovable device...\n/dev/pd[a-d][^/"..., 4096) = 4096 read(3, "r:bin_t:s0\n/opt(/.*)?/sbin(/.*)?"..., 4096) = 4096 read(3, "*)?\tsystem_u:object_r:man_t:s0\n/"..., 4096) = 4096 read(3, "/usr/sbin/accton\t--\tsystem_u:obj"..., 4096) = 4096 read(3, "-\tsystem_u:object_r:amanda_user_"..., 4096) = 4096 read(3, "\n/var/run/\\.?acpid\\.socket\t-s\tsy"..., 4096) = 4096 read(3, "ject_r:comsat_exec_t:s0\n# consol"..., 4096) = 4096 read(3, "r:bin_t:s0\n/usr/lib(64)?/cups/cg"..., 4096) = 4096 read(3, "larm-notify.*\t--\tsystem_u:object"..., 4096) = 4096 read(3, "object_r:xferlog_t:s0\n/var/log/x"..., 4096) = 4096 read(3, "usr/lib/gnupg/.*\t--\tsystem_u:obj"..., 4096) = 4096 read(3, "_t:s0\n/etc/init\\.d/.*\t\t--\tsystem"..., 4096) = 4096 read(3, "tem_u:object_r:innd_exec_t:s0\n# "..., 4096) = 4096 read(3, "--\tsystem_u:object_r:load_policy"..., 4096) = 4096 read(3, "ct_r:lvm_exec_t:s0\n/sbin/vgscan\t"..., 4096) = 4096 read(3, "luggerrc system_u:object_r:mozil"..., 4096) = 4096 read(3, "\t\tsystem_u:object_r:ntpd_log_t:s"..., 4096) = 4096 read(3, "\n/usr/sbin/postqueue\t--\tsystem_u"..., 4096) = 4096 read(3, "voxy(/.*)?\t\tsystem_u:object_r:pr"..., 4096) = 4096 read(3, "_u:object_r:samba_log_t:s0\n/var/"..., 4096) = 4096 read(3, "var_run_t:s0\n/var/run/snmpd\t\t-d\t"..., 4096) = 4096 read(3, "ct_r:traceroute_exec_t:s0\n/usr/b"..., 4096) = 4096 read(3, ":s0\n#/usr/local/vmware/[^/]*/.*\\"..., 4096) = 4096 read(3, "on\n/usr/sbin/zebra\t\t--\tsystem_u:"..., 4096) = 4096 read(3, "tem_u:object_r:bin_t:s0\n/emul/ia"..., 4096) = 4096 read(3, "r:texrel_shlib_t:s0\n/usr/lib/lad"..., 4096) = 3452 read(3, "", 4096) = 0 fstat64(4, {st_mode=S_IFREG|0644, st_size=9381, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7b3d000 read(4, "\n#\n#\n# User-specific file contex"..., 4096) = 4096 read(4, "onts.cache-.*\t--\troot:object_r:s"..., 4096) = 4096 read(4, "me_t:s0\n/home/valdis/\\.screenrc\t"..., 4096) = 1189 read(4, "", 4096) = 0 _llseek(3, 0, [0], SEEK_SET) = 0 _llseek(4, 0, [0], SEEK_SET) = 0 read(3, "# Distro-specific customizations"..., 4096) = 4096 open("/selinux/context", O_RDWR|O_LARGEFILE) = 5 write(5, "system_u:object_r:default_t:s0\0", 31) = 31 read(5, "system_u:object_r:default_t:s0\0", 4095) = 31 close(5) = 0 open("/selinux/context", O_RDWR|O_LARGEFILE) = 5 write(5, "system_u:object_r:root_t:s0\0", 28) = 28 read(5, "system_u:object_r:root_t:s0\0", 4095) = 28 close(5) = 0 (1,858 iterations of open/write/read/close deleted) open("/selinux/context", O_RDWR|O_LARGEFILE) = 5 write(5, "valdis:object_r:staff_orbit_tmp_"..., 37) = 37 read(5, "valdis:object_r:staff_orbit_tmp_"..., 4095) = 37 close(5) = 0 open("/selinux/context", O_RDWR|O_LARGEFILE) = 5 write(5, "valdis:object_r:staff_orbit_tmp_"..., 37) = 37 read(5, "valdis:object_r:staff_orbit_tmp_"..., 4095) = 37 close(5) = 0 close(3) = 0 munmap(0xb7b3e000, 4096) = 0 close(4) = 0 munmap(0xb7b3d000, 4096) = 0 brk(0x863e000) = 0x863e000 close(1) = 0 munmap(0xb7d72000, 9680) = 0 exit_group(0) = ? Process 17917 detached

17 years, 3 months

3
3
0 / 0

help with the SELinux FAQ

by Karsten Wade

If you would like to help write or update the Fedora SELinux FAQ[1], please follow up to this thread on fedora-docs-list(a)redhat.com (reply-to set). I've been unable to maintain the FAQ in a proper state for a while now, and we need the content to be significantly updated for FC5. Changes made now can be included in the FC5 testing process. To fill this role, you need to know what is going on in the Fedora SELinux project. We can take care of the rest with you, from access to the content and tools to make the changes. Thanks - Karsten, lazy FAQ maintainer [1] http://fedora.redhat.com/docs/selinux-faq/ -- Karsten Wade, RHCE * Sr. Tech Writer * http://people.redhat.com/kwade/ gpg fingerprint: 2680 DBFD D968 3141 0115 5F1B D992 0E06 AD0E 0C41 Content Services Fedora Documentation Project http://www.redhat.com/docs http://fedoraproject.org/wiki/DocsProject

17 years, 3 months

2
1
0 / 0

← Newer
1
2
3
4
5
6
7
Older →

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

selinux December 2005