slow speed of selinux commands
Daniel J Walsh
dwalsh at redhat.com
Wed Oct 12 13:15:18 UTC 2011
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 10/12/2011 09:00 AM, Fulko Hew wrote:
>
>
> On Mon, Sep 19, 2011 at 4:01 PM, Fulko Hew <fulko.hew at gmail.com
> <mailto:fulko.hew at gmail.com>> wrote:
>> On Mon, Sep 19, 2011 at 3:32 PM, Eric Paris <eparis at redhat.com
> <mailto:eparis at redhat.com>> wrote:
>>> On Mon, 2011-09-19 at 14:49 -0400, Fulko Hew wrote:
>>>
>>>> If so... why use chcon versus the semanage/restorecon
>>>> technique? or if my assesement is wrong... can someone point
>>>> me to a better explanation/tutorial?
>>
>> ... snip ...
>>
>>> So semanage+restorecon == will last, chcon == will likely get
>>> blown away and make you angry later.
>>
>> Thanks for confirming that for me.
>
> Sorry to take a long time for a further followup.. I made the
> changes to my RPM spec file, and it works, but...
>
> The processing sure takes a long time... Whereas 'installing'the
> files is a quick procedure (seconds), my subsequent selinux
> commandstake _minutes_ to process.
>
> Surely the other packages can't be using this combo of commands
> inside their spec files to handle selinux mode/attribute setting
> during installation (because they don't take this long to
> install).
>
> There has to be a better way/faster way.
>
> What I have right now is:
>
> if [ -x /usr/sbin/selinuxenabled ] && selinuxenabled; then # if it
> exists and can be run setsebool -P httpd_can_network_connect=1
> # then enable this ability setsebool -P httpd_enable_cgi=1
> # this one should normally be on... fi
> # but force it because _we_ need it!
>
> if semanage fcontext -a -t httpd_sys_script_exec_t
> "/var/www/html/nia/scripts/.*" 2>/dev/null; then restorecon -v
> /var/www/html/nia/scripts/* 2>/dev/null fi if semanage fcontext -a
> -t httpd_sys_rw_content_t "/var/www/html/nia/tmp" 2>/dev/null;
> then restorecon -v /var/www/html/nia/tmp 2>/dev/null fi # needed
> for RHEL 5.6 & GraphViz access to the fonts if semanage fcontext -a
> -t httpd_sys_content_t "/var/cache/fontconfig/.*" 2>/dev/null;
> then restorecon -v /var/cache/fontconfig/* 2>/dev/null fi
>
>
First I would work with the selinux-policy package to incorporate
things like labels into the base package.
Please do not set labels on directories that are not included in your
package. /var/cache/fontconfig should not be labeled as apache content.
Multiple semanage commands can be run within a single transaction.
For example setting multiple booleans is done in the xguest post install
semanage -S targeted -i - << _EOF
boolean -m --on allow_polyinstantiation
boolean -m --on xguest_connect_network
boolean -m --on xguest_mount_media
boolean -m --on xguest_use_bluetooth
_EOF
And you can mix and match your commands
semanage -S targeted -i - << _EOF
boolean -m --on httpd_can_network_connect
boolean -m --on httpd_enable_cgi
fcontext -a -t httpd_sys_rw_content_t "/var/www/html/nia/tmp(/.*)?"
fcontext -a -t httpd_sys_script_exec_t "/var/www/html/nia/scripts(/.*)?"
_EOF
If you want to allow apache to read files labeled fonts_cache_t, then
you should install a policy module with those allow rules.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk6VkuYACgkQrlYvE4MpobN9XgCfeYDRshf2aRSG+GDcIK+ote67
4EEAoIT6r7/mUFZAxgR/ThJpXYi2HI0g
=Ju4Z
-----END PGP SIGNATURE-----
More information about the devel
mailing list