slow speed of selinux commands

Daniel J Walsh dwalsh at
Wed Oct 12 13:15:18 UTC 2011

Hash: SHA1

On 10/12/2011 09:00 AM, Fulko Hew wrote:
> On Mon, Sep 19, 2011 at 4:01 PM, Fulko Hew <fulko.hew at 
> <mailto:fulko.hew at>> wrote:
>> On Mon, Sep 19, 2011 at 3:32 PM, Eric Paris <eparis at
> <mailto:eparis at>> wrote:
>>> On Mon, 2011-09-19 at 14:49 -0400, Fulko Hew wrote:
>>>> If so... why use chcon versus the semanage/restorecon
>>>> technique? or if my assesement is wrong... can someone point
>>>> me to a better explanation/tutorial?
>> ... snip ...
>>> So semanage+restorecon == will last, chcon == will likely get
>>> blown away and make you angry later.
>> Thanks for confirming that for me.
> Sorry to take a long time for a further followup.. I made the
> changes to my RPM spec file, and it works, but...
> The processing sure takes a long time... Whereas 'installing'the
> files is a quick procedure (seconds), my subsequent selinux
> commandstake _minutes_ to process.
> Surely the other packages can't be using this combo of commands 
> inside their spec files to handle selinux mode/attribute setting 
> during installation (because they don't take this long to
> install).
> There has to be a better way/faster way.
> What I have right now is:
> if [ -x /usr/sbin/selinuxenabled ] && selinuxenabled; then # if it 
> exists and can be run setsebool -P httpd_can_network_connect=1
> # then enable this ability setsebool -P httpd_enable_cgi=1
> # this one should normally be on... fi
> # but force it because _we_ need it!
> if semanage fcontext -a -t httpd_sys_script_exec_t 
> "/var/www/html/nia/scripts/.*" 2>/dev/null; then restorecon -v
> /var/www/html/nia/scripts/* 2>/dev/null fi if semanage fcontext -a
> -t httpd_sys_rw_content_t "/var/www/html/nia/tmp" 2>/dev/null;
> then restorecon -v /var/www/html/nia/tmp 2>/dev/null fi # needed
> for RHEL 5.6 & GraphViz access to the fonts if semanage fcontext -a
> -t httpd_sys_content_t "/var/cache/fontconfig/.*" 2>/dev/null;
> then restorecon -v /var/cache/fontconfig/* 2>/dev/null fi

First I would work with the selinux-policy package to incorporate
things like labels into the base package.

Please do not set labels on directories that are not included in your
package.  /var/cache/fontconfig  should not be labeled as apache content.

Multiple semanage commands can be run within a single transaction.

For example setting multiple booleans is done in the xguest post install

semanage -S targeted -i - << _EOF
boolean -m --on allow_polyinstantiation
boolean -m --on xguest_connect_network
boolean -m --on xguest_mount_media
boolean -m --on xguest_use_bluetooth

And you can mix and match your commands

semanage -S targeted -i - << _EOF
boolean -m --on httpd_can_network_connect
boolean -m --on httpd_enable_cgi
fcontext -a -t httpd_sys_rw_content_t "/var/www/html/nia/tmp(/.*)?"
fcontext -a -t httpd_sys_script_exec_t "/var/www/html/nia/scripts(/.*)?"

If you want to allow apache to read files labeled fonts_cache_t, then
you should install a policy module with those allow rules.
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla -


More information about the devel mailing list