On Wed, Jul 18, 2012 at 10:39:56AM -0400, Stephen Gallagher wrote:
On Wed, 2012-07-18 at 13:24 +0200, Jakub Hrozek wrote:
The IPA session code used to download all enabled SELinux rules, but then filter out those that match to the current user and save only those. This meant that if a rule was deleted or disabled on the server, it remained in the cache and was still evaluated.
The attached patch changes that behaviour to save all downloaded rules -- if this proves to be slow, we can optimize, for instance in a similar way HBAC rules are optimized, by falling back to sysdb rules if several requests arrive within a specified interval. However, we don't use member/memberof links when saving the SELinux mappings, so the sysdb write should be reasonably fast.
[PATCH 1/3] IPA: Download defaults even if there are no SELinux mappings We should always download the defaults because even if there are no rules, we might want to use (or update) the defaults. Previously, the defaults were only downloaded when there were some rules on the server.
[PATCH 2/3] SYSDB: Delete SELinux mappings A sysdb function that can be used to delete SELinux mappings from the sysdb
[PATCH 3/3] IPA: Return and save all SELinux rules in the provider https://fedorahosted.org/sssd/ticket/1421
Ack to all three.
Pushed all three to master.
However, there's a FIXME that I think we can solve very easily. I've opened https://fedorahosted.org/sssd/ticket/1427 to track this.
Thank you, we'll get to this performance improvement in beta 6 (I assume).