Re: find invalid fcontext without autorelabeling

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 10/25/2014 03:32 AM, george karakou wrote:
> I disabled modules that i will never need. For example docker,cobbler
> and others from contrib. I thought that if the selinux engine would
> have to parse 1000 allow rules for every call parsing 800 would
> provide a faster decision. The rest would be denied. Anyway restorecon
> was the solution. Now i think it might be a good idea to run a
> weekly/monthly cronjob and have restorecon in it. I just cant remember
> when was the last time i run the command. It must have been over a year.
> Thanks
>
Well SELinux is highly optimized for reading the rules, so the first
time it looks up an access decision it is cached and never looked up
again (Unless the policy changes).  Removing a few thousand rules is
probably not going to be measurably faster.  But you will save some
kernel memory.

> On 10/24/2014 08:41 PM, Daniel J Walsh wrote:
>> It is doubtful disabling modules will not make SELinux run faster.
>>
>> You could have done something like
>>
>> find / -context="\*:unlabeled_t:\*"  -print0 | restorecon -f - -0
>>
>> But
>>
>> restorecon -R /
>>
>> Would also work.
>>
>> On 10/24/2014 01:27 PM, george karakou wrote:
>>> It seems that restorecon -Rv / would do the trick, thanks
>>>
>>> On 10/24/2014 08:15 PM, Yusuf Hadiwinata wrote:
>>>> Hi
>>>>
>>>> You need to know the right security context and use semanage
>>>> fcontext -t
>>>> http_sys_content_t '/var/www/myweb' and run restoreconf for example
>>>>
>>> -- 
>>> selinux mailing list
>>> selinux@xxxxxxxxxxxxxxxxxxxxxxx
>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>
>>
>>
> -- 
> selinux mailing list
> selinux@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/selinux

--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux





[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux