Re: CPU Spike caused by semanage commands

Wednesday, 21 November 2012

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/21/2012 12:57 PM, Anamitra Dutta Majumdar (anmajumd) wrote:
...
 Dan,

 Thanks for your response.

 Why would semanage perform a recompile of the policies. Is it possible to 
 enforce semanage not to recompile the policies in order to prevent the 
 spike.

 Thanks, Anamitra

 On 11/21/12 2:13 AM, "Daniel J Walsh" <dwalsh(a)redhat.com&gt; wrote:

 On 11/20/2012 06:02 PM, Anamitra Dutta Majumdar (anmajumd) wrote:
>>> 
>>> We are in the process of upgrading our product to RHEL6 os. And
>>> during setting of SELinux contexts using semanage commands we see 100
>>> % CPU usage as below
>>> 
>>> top - 19:22:33 up  1:00,  1 user,  load average: 1.25, 1.15, 1.58
>>> Tasks: 171 total,   2 running, 169 sleeping,   0 stopped,   0 zombie
>>> Cpu(s): 24.7%us,  0.2%sy,  0.0%ni, 75.2%id,  0.0%wa,  0.0%hi,
>>> 0.0%si, 0.0%st Mem: 6113004k total,  5841096k used,   271908k free,
>>> 22600k buffers Swap: 2047992k total,        0k used,  2047992k free,
>>> 5078044k cached
>>> 
>>> PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND
>>> 
>>> 
>>> 4189 root      20   0  575m 410m 3296 R 100.0  6.9   0:08.17
>>> semanage
>>> 
>>> 
>>> 21 root      20   0     0    0    0 S  0.3  0.0   0:00.48 events/2
>>> 
>>> 
>>> 60 root      39  19     0    0    0 S  0.3  0.0   0:00.41 khugepaged
>>> 
>>> 
>>> 3337 root      20   0 15088 1396 1020 R  0.3  0.0   0:01.29 top
>>> 
>>> 
>>> 11471 root      39  19     0    0    0 S  0.3  0.0   0:14.53 kipmi0
>>> 
>>> 
>>> 1 root      20   0 19396 1532 1208 S  0.0  0.0   0:01.10 init.real
>>> 
>>> 
>>> 2 root      20   0     0    0    0 S  0.0  0.0   0:00.00 kthreadd
>>> 
>>> 
>>> 3 root      RT   0     0    0    0 S  0.0  0.0   0:00.03 migration/0
>>> 
>>> 
>>> 4 root      20   0     0    0    0 S  0.0  0.0   0:00.00 ksoftirqd/0
>>> 
>>> 
>>> 5 root      RT   0     0    0    0 S  0.0  0.0   0:00.00 migration/0
>>> 
>>> 
>>> 6 root      RT   0     0    0    0 S  0.0  0.0   0:00.00 watchdog/0
>>> 
>>> 
>>> 7 root      RT   0     0    0    0 S  0.0  0.0   0:00.09 migration/1
>>> 
>>> 
>>> 8 root      RT   0     0    0    0 S  0.0  0.0   0:00.00 migration/1
>>> 
>>> 
>>> 9 root      20   0     0    0    0 S  0.0  0.0   0:00.04 ksoftirqd/1
>>> 
>>> 
>>> 10 root      RT   0     0    0    0 S  0.0  0.0   0:00.00 watchdog/1
>>> 
>>> 
>>> 11 root      RT   0     0    0    0 S  0.0  0.0   0:00.04
>>> migration/2
>>> 
>>> 
>>> 12 root      RT   0     0    0    0 S  0.0  0.0   0:00.00
>>> migration/2
>>> 
>>> 
>>> 13 root      20   0     0    0    0 S  0.0  0.0   0:00.00
>>> ksoftirqd/2
>>> 
>>> 
>>> 14 root      RT   0     0    0    0 S  0.0  0.0   0:00.00 watchdog/2
>>> 
>>> 
>>> 15 root      RT   0     0    0    0 S  0.0  0.0   0:00.05
>>> migration/3
>>> 
>>> 
>>> 16 root      RT   0     0    0    0 S  0.0  0.0   0:00.00
>>> migration/3
>>> 
>>> 
>>> 17 root      20   0     0    0    0 S  0.0  0.0   0:00.00
>>> ksoftirqd/3
>>> 
>>> 
>>> 18 root      RT   0     0    0    0 S  0.0  0.0   0:00.00 watchdog/3
>>> 
>>> 
>>> 19 root      20   0     0    0    0 S  0.0  0.0   0:00.00 events/0
>>> 
>>> 
>>> 20 root      20   0     0    0    0 S  0.0  0.0   0:00.03 events/1
>>> 
>>> 
>>> 22 root      20   0     0    0    0 S  0.0  0.0   0:00.89 events/3
>>> 
>>> 
>>> 23 root      20   0     0    0    0 S  0.0  0.0   0:00.00 cpuset
>>> 
>>> 
>>> 24 root      20   0     0    0    0 S  0.0  0.0   0:00.00 khelper
>>> 
>>> 
>>> 25 root      20   0     0    0    0 S  0.0  0.0   0:00.00 netns
>>> 
>>> 
>>> 26 root      20   0     0    0    0 S  0.0  0.0   0:00.00 async/mgr
>>> 
>>> 
>>> 27 root      20   0     0    0    0 S  0.0  0.0   0:00.00 pm
>>> 
>>> 
>>> 28 root      20   0     0    0    0 S  0.0  0.0   0:00.02
>>> sync_supers
>>> 
>>> 
>>> 29 root      20   0     0    0    0 S  0.0  0.0   0:00.01
>>> bdi-default
>>> 
>>> 
>>> 30 root      20   0     0    0    0 S  0.0  0.0   0:00.00
>>> kintegrityd/0
>>> 
>>> 
>>> 31 root      20   0     0    0    0 S  0.0  0.0   0:00.00
>>> kintegrityd/1
>>> 
>>> 
>>> 32 root      20   0     0    0    0 S  0.0  0.0   0:00.00
>>> kintegrityd/2
>>> 
>>> 
>>> 33 root      20   0     0    0    0 S  0.0  0.0   0:00.00
>>> kintegrityd/3
>>> 
>>> 
>>> You have new mail in /var/spool/mail/root [root@vos-cm144 ~]# ps -efZ
>>> | grep semanage system_u:system_r:initrc_t:s0   root      4189  4188
>>> 96 19:22 ? 00:00:12 /usr/bin/python -Es /usr/sbin/semanage user -a -P
>>> user -R sysadm_r system_r specialuser_u
>>> 
>>> Is this an expected behavior .
>>> 
>>> Thanks, Anamitra
>>> 
>>> 
>>> 
>>> -- selinux mailing list selinux(a)lists.fedoraproject.org 
>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>> 
 semanage is performing a recompile of policy which is causing the spike.

 -- selinux mailing list selinux(a)lists.fedoraproject.org 
 https://admin.fedoraproject.org/mailman/listinfo/selinux

I am not sure why it is compiling the policy when it adds a file context, it
should be loading the policy to verify that a type exists, but that is all.

Please open a bugzilla on this.
...PGP SIGNATURE...
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iEYEARECAAYFAlCtGdwACgkQrlYvE4MpobPJwgCgyTmhzZJeUZjukHJ4HiDzyK28
r94AoKtdnFA88ASjgXDuu4LnDyP3AtzS
=hMNU
-----END PGP SIGNATURE----- 

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Re: CPU Spike caused by semanage commands