On 10/25/2014 03:32 AM, george karakou wrote: > I disabled modules that i will never need. For example docker,cobbler > and others from contrib. I thought that if the selinux engine would > have to parse 1000 allow rules for every call parsing 800 would > provide a faster decision. The rest would be denied. Anyway restorecon > was the solution. Now i think it might be a good idea to run a > weekly/monthly cronjob and have restorecon in it. I just cant remember > when was the last time i run the command. It must have been over a year. > Thanks > Well SELinux is highly optimized for reading the rules, so the first time it looks up an access decision it is cached and never looked up again (Unless the policy changes). Removing a few thousand rules is probably not going to be measurably faster. But you will save some kernel memory. > On 10/24/2014 08:41 PM, Daniel J Walsh wrote: >> It is doubtful disabling modules will not make SELinux run faster. >> >> You could have done something like >> >> find / -context="\*:unlabeled_t:\*" -print0 | restorecon -f - -0 >> >> But >> >> restorecon -R / >> >> Would also work. >> >> On 10/24/2014 01:27 PM, george karakou wrote: >>> It seems that restorecon -Rv / would do the trick, thanks >>> >>> On 10/24/2014 08:15 PM, Yusuf Hadiwinata wrote: >>>> Hi >>>> >>>> You need to know the right security context and use semanage >>>> fcontext -t >>>> http_sys_content_t '/var/www/myweb' and run restoreconf for example >>>> >>> -- >>> selinux mailing list >>> selinux@xxxxxxxxxxxxxxxxxxxxxxx >>> https://admin.fedoraproject.org/mailman/listinfo/selinux >> >> >> > -- > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
