On Mon, Sep 10, 2012 at 05:44:58PM -0600, Matthew B. Brookover wrote: > It seems that sasl_server_start() takes 0.17 seconds to run with selinux > is disabled and takes 1.28 seconds to run when selinux is enabled. [snip] > Some more details, the test system is running CentOS 6.3, which came > with Cyrus SASL 2.1.23 and MIT Kerberos 1.9 libraries. I first noticed > the problem with OpenLDAP 2.4.28. I have since compiled SASL 2.1.25 and > confirmed the problem using the sample client and sample server. We have a local patch that we apply to try to keep replay caches (well, anything libkrb5 creates) labeled correctly for SELinux. Up through 6.2, the patch didn't cover the case of replay caches when they were being flushed, and we fixed that for 6.3. It turned out that fixing that came with a pretty big speed hit. We're tracking this as #845125 and #846472 in our bugzilla [1] and are working on an update. HTH, Nalin [1] http://bugzilla.redhat.com/845125, http://bugzilla.redhat.com/846472
