On Wed, 2008-07-09 at 16:10 +0200, Jan Kasprzak wrote: > Stephen Smalley wrote: > : Can you check whether you have expand-check = 0 > : in /etc/selinux/semanage.conf? If not present or commented out, add it > : and retry. > > There was no such option in semanage.conf. After adding it, > semodule -i took 13.2 seconds (9.7 user, 3.5 sys) on an otherwise > idle machine (2x dual-core opteron 2222 3.0 GHz). With this option > commented out, it was 175.8 real, 174.2 user, 1.6 sys). If you did a clean install, expand-check=0 should be present by default in semanage.conf as of F9 and later I believe. Or they could even make it the default value in libsemanage in Fedora if they wanted to do so (defined by libsemanage/src/conf_parse.y:semanage_conf_init()) so that it doesn't even require the semanage.conf setting. With expand-check=1 (default in the absence of any semanage.conf option), neverallow rule checking and type hierarchy checking is applied on every transaction to revalidate the updated policy, which is quite expensive. Consequently, Fedora has switched to disabling it at runtime. They still ought to be doing it during policy build though, but I don't see that (requires running make validate during the refpolicy build). Dan? I'd actually be curious to see how much of that time is due to neverallow vs. hierarchy checking, given that we ought to disable hierarchy checking since it isn't being used presently and has to be reworked for explicit hierarchy anyway. -- Stephen Smalley National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
