On Thu, 2017-04-20 at 23:27 +0530, Lakshmipathi.G wrote:
Thanks. Here's the details:
# uname -a
Linux li1629-137 3.10.0-514.el7.x86_64 #1 SMP Tue Nov 22 16:42:41 UTC
2016 x86_64 x86_64 x86_64 GNU/Linux
# cat /etc/redhat-release
CentOS Linux release 7.3.1611 (Core)
#rpm qa | grep 'semanage'
On Fedora, I see a substantial improvement in the latest libsemanage
update, which was created in response to the following bug:
There is a cloned bug for RHEL7.4.
Despite seeming unrelated, the ultimate fix for this bug improved
performance for most semanage commands; the second of the two patches
affected more than just booleans.
The relevant upstream commits are:
I didn't make any changes to /etc/selinux/semanage.conf . Here's the
module-store = direct
# When generating the final linked and expanded policy, by default
# semanage will set the policy version to POLICYDB_VERSION_MAX, as
# given in <sepol/policydb.h>. Change this setting if a different
# version is necessary.
#policy-version = 19
# expand-check check neverallow rules when executing all semanage
# Large penalty in time if you turn this on.
# usepasswd check tells semanage to scan all pass word records for
# and setup the labeling correctly. If this is turned off, SELinux
will label /home
# correctly only. You will need to use semanage fcontext command.
# For example, if you had home dirs in /althome directory you would
have to execute
# semanage fcontext -a -e /home /althome
Your configuration looks fine; I wanted to make sure you had expand-
check=0 and usepasswd=False. So the problem lies in the libsemanage
code; at present, it requires a full policy module re-link when you add
a seusers entry. This has been fixed in the latest libsemanage
version, which will hopefully find its way to RHEL7 before too long.
> FOSS Programmer.
> http://www.giis.co.in http://www.webminal.org
> On Thu, Apr 20, 2017 at 11:23 PM, Stephen Smalley <sds(a)tycho.nsa.gov>
> > On Thu, 2017-04-20 at 23:14 +0530, Lakshmipathi.G wrote:
> > > It takes 10 seconds to create user account,where as without -Z
> > > option
> > > it takes less a second. I tried changing SELinux to Permissive
> > > mode
> > > or
> > > try to use tmpfs for /etc/selinux mountpoint , both didn't
> > > help.The
> > > problem is I'm re-creating 50000+ user accounts in a new server.
> > > Looks
> > > for options to speed-up this process. thanks for
> > > any pointers/help.
> > >
> > > # time useradd --uid=20005 -Z guest_u u20005
> > > real 0m10.194s
> > > user 0m8.866s
> > > sys 0m1.273s
> > >
> > > # time useradd --uid=20006 u20006
> > > real 0m0.050s
> > > user 0m0.018s
> > > sys 0m0.021s
> > libsemanage version?
> > /etc/selinux/semanage.conf contents?