On Wed, 2005-11-30 at 14:52 -0500, Stephen Smalley wrote:
On Wed, 2005-11-30 at 14:24 -0500, Daniel J Walsh wrote:
> Sounds like that is probably the udev problem also.
The issue is the complete processing of file_contexts by
matchpathcon_init() even when the caller is only going to do a single
matchpathcon(). That costs us both in regex compilation time and in
context validation/canonicalization time (the only change in the latter
is that we now read back the canonical context from the kernel; we were
already writing the context to the kernel to validate it). As the
original user of matchpathcon was setfiles/restorecon, that was
reasonable (we wanted the entire configuration). For udev and install,
it isn't.
Solution is likely to provide a variant of matchpathcon_init() that
allows the caller to specify a prefix, and only process file_contexts
entries with that prefix.
Much of the install slowdown should be addressed by libselinux 1.27.28.
We can also potentially improve that further by modifying install to use
the new matchpathcon_init_prefix() interface, but some improvement
should be immediately evident from the new libselinux.
--
Stephen Smalley
National Security Agency