On Thu, 2017-04-20 at 23:27 +0530, Lakshmipathi.G wrote: > Thanks. Here's the details: > > # uname -a > Linux li1629-137 3.10.0-514.el7.x86_64 #1 SMP Tue Nov 22 16:42:41 UTC > 2016 x86_64 x86_64 x86_64 GNU/Linux > > # cat /etc/redhat-release > CentOS Linux release 7.3.1611 (Core) > > #rpm qa | grep 'semanage' > libsemanage-2.5-5.1.el7_3.x86_64 > libsemanage-python-2.5-5.1.el7_3.x86_64 On Fedora, I see a substantial improvement in the latest libsemanage update, which was created in response to the following bug: https://bugzilla.redhat.com/show_bug.cgi?id=1439875 There is a cloned bug for RHEL7.4. Despite seeming unrelated, the ultimate fix for this bug improved performance for most semanage commands; the second of the two patches affected more than just booleans. The relevant upstream commits are: https://github.com/SELinuxProject/selinux/commit/b61922f727d5643265e27654a2d626bcae5d894c https://github.com/SELinuxProject/selinux/commit/8702a865e08b5660561e194a83e4a363061edc03 > > > I didn't make any changes to /etc/selinux/semanage.conf . Here's the > content. > --- > module-store = direct > > # When generating the final linked and expanded policy, by default > # semanage will set the policy version to POLICYDB_VERSION_MAX, as > # given in <sepol/policydb.h>. Change this setting if a different > # version is necessary. > #policy-version = 19 > > # expand-check check neverallow rules when executing all semanage > commands. > # Large penalty in time if you turn this on. > expand-check=0 > > # usepasswd check tells semanage to scan all pass word records for > home directories > # and setup the labeling correctly. If this is turned off, SELinux > will label /home > # correctly only. You will need to use semanage fcontext command. > # For example, if you had home dirs in /althome directory you would > have to execute > # semanage fcontext -a -e /home /althome > usepasswd=False > bzip-small=true > bzip-blocksize=5 > ignoredirs=/root > --- Your configuration looks fine; I wanted to make sure you had expand- check=0 and usepasswd=False. So the problem lies in the libsemanage code; at present, it requires a full policy module re-link when you add a seusers entry. This has been fixed in the latest libsemanage version, which will hopefully find its way to RHEL7 before too long. > > > ---- > Cheers, > Lakshmipathi.G > FOSS Programmer. > http://www.giis.co.in http://www.webminal.org > > On Thu, Apr 20, 2017 at 11:23 PM, Stephen Smalley <sds@xxxxxxxxxxxxx> > wrote: > > > > On Thu, 2017-04-20 at 23:14 +0530, Lakshmipathi.G wrote: > > > It takes 10 seconds to create user account,where as without -Z > > > option > > > it takes less a second. I tried changing SELinux to Permissive > > > mode > > > or > > > try to use tmpfs for /etc/selinux mountpoint , both didn't > > > help.The > > > problem is I'm re-creating 50000+ user accounts in a new server. > > > Looks > > > for options to speed-up this process. thanks for > > > any pointers/help. > > > > > > # time useradd --uid=20005 -Z guest_u u20005 > > > real 0m10.194s > > > user 0m8.866s > > > sys 0m1.273s > > > > > > # time useradd --uid=20006 u20006 > > > real 0m0.050s > > > user 0m0.018s > > > sys 0m0.021s > > > > libsemanage version? > > /etc/selinux/semanage.conf contents? > > > > _______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
