Postfix avcs (Re: Enabling SELinux on a custom kernel)
Stephen Smalley
sds at tycho.nsa.gov
Wed Jul 9 14:21:17 UTC 2008
On Wed, 2008-07-09 at 16:10 +0200, Jan Kasprzak wrote:
> Stephen Smalley wrote:
> : Can you check whether you have expand-check = 0
> : in /etc/selinux/semanage.conf? If not present or commented out, add it
> : and retry.
>
> There was no such option in semanage.conf. After adding it,
> semodule -i took 13.2 seconds (9.7 user, 3.5 sys) on an otherwise
> idle machine (2x dual-core opteron 2222 3.0 GHz). With this option
> commented out, it was 175.8 real, 174.2 user, 1.6 sys).
If you did a clean install, expand-check=0 should be present by default
in semanage.conf as of F9 and later I believe. Or they could even make
it the default value in libsemanage in Fedora if they wanted to do so
(defined by libsemanage/src/conf_parse.y:semanage_conf_init()) so that
it doesn't even require the semanage.conf setting.
With expand-check=1 (default in the absence of any semanage.conf
option), neverallow rule checking and type hierarchy checking is applied
on every transaction to revalidate the updated policy, which is quite
expensive. Consequently, Fedora has switched to disabling it at
runtime. They still ought to be doing it during policy build though,
but I don't see that (requires running make validate during the
refpolicy build). Dan?
I'd actually be curious to see how much of that time is due to
neverallow vs. hierarchy checking, given that we ought to disable
hierarchy checking since it isn't being used presently and has to be
reworked for explicit hierarchy anyway.
--
Stephen Smalley
National Security Agency
More information about the fedora-selinux-list
mailing list