Re: SASL slow when selinux enabled

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Ok, sounds like I could get around this by linking SASL against a different set of Kerberos libraries and a bit of selinux policy to allow the cache to work weather or not it is labeled correctly for selinux.

Thanks Nalin

Matt
On Mon, 2012-09-10 at 21:45 -0400, Nalin Dahyabhai wrote:
On Mon, Sep 10, 2012 at 05:44:58PM -0600, Matthew B. Brookover wrote:
> It seems that sasl_server_start() takes 0.17 seconds to run with selinux
> is disabled and takes 1.28 seconds to run when selinux is enabled.
[snip]
> Some more details, the test system is running CentOS 6.3, which came
> with Cyrus SASL 2.1.23 and MIT Kerberos 1.9 libraries.  I first noticed
> the problem with OpenLDAP 2.4.28.  I have since compiled SASL 2.1.25 and
> confirmed the problem using the sample client and sample server.

We have a local patch that we apply to try to keep replay caches (well,
anything libkrb5 creates) labeled correctly for SELinux.  Up through
6.2, the patch didn't cover the case of replay caches when they were
being flushed, and we fixed that for 6.3.  It turned out that fixing
that came with a pretty big speed hit.  We're tracking this as #845125
and #846472 in our bugzilla [1] and are working on an update.

HTH,

Nalin

[1] http://bugzilla.redhat.com/845125, http://bugzilla.redhat.com/846472

[Index of Archives]     [Info Cyrus]     [Squirrel Mail]     [Linux Media]     [Yosemite News]     [gtk]     [KDE]     [Gimp on Windows]     [Steve's Art]

  Powered by Linux