semanage slow (Should I ignore or report this avc denial?)
Daniel J Walsh
dwalsh at redhat.com
Tue Oct 2 18:16:24 UTC 2012
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 10/02/2012 09:21 AM, Zdenek Pytela wrote:
> Daniel J Walsh pise:
>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>>
>> On 09/27/2012 10:34 AM, Sergio wrote:
>>>
>>>>>>
>>>>>> The policy configuration supports two options:
>>>>>>
>>>>>> 1. silently deny this: setsebool -P
>>>>> vbetool_mmap_zero_ignore on
>>>>>>
>>>>>> or
>>>>>>
>>>>>> 2. allow this: setsebool -P mmap_low_allowed on
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>> A better solution is probably
>>>>>
>>>>> yum remove vbetool
>>>>>
>>>>> Since most people do not need it.
>>>>
>>>
>>> For the while I went with
>>>
>>> # setsebool -P mmap_low_allowed on
>>>
>>> And it's taking quite a while to complete the job. The command is
>>> using almost all of my old Athlon CPU for quite some time already.
>>>
>>> Is this normal?
>>>
>>> Note: last selinux-policy-targeted update got stuck and I eventually
>>> had to stop it and then complete it afterwards (with
>>> yum-complete-transaction). Just saying to give a perspective. Maybe I
>>> should stop the setsebool process (not doing anything now in case I get
>>> an answer)? -- selinux mailing list selinux at lists.fedoraproject.org
>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>
>>>
>>
>>
>> setsebool -P and semanage commands are slow, they are doing a full
>> recompile of all policy.
> OK, I understand this. But what's the reason to be semanage boolean -l much
> slower than getsebool -a No recompiling, just gathering the booleans
> default state and short summary in addition to the second command.
>
Yes this is because semanage is doing a lot of initialization stuff that could
probably be avoided if we were a little smarter.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
iEYEARECAAYFAlBrL3gACgkQrlYvE4MpobNwwwCbBjKPyd+SslomlyJJHj3xggJv
toYAnixNTm/kNynaC5fDi7QBGN8P5Qjt
=vErS
-----END PGP SIGNATURE-----
More information about the selinux
mailing list