Hi Stephen,
Thanks for the detailed information. I didn't know there exists semanage export/import, nice option. I tested with new server(centos7), both export/import worked. But unfortunately our old server is really old! (fedora-14/2.6.35.14-106.fc14.i686) semanage export option is missing there.
Scripting way is nice idea.I tested with sample 6 accounts, it worked well. Overall, it took 15 seconds for 6 accounts with semanage import. This script method should work fine in our case. We will create script to write data into userlist file in above format then use it with centos7/semanage import. Thanks a lot of the help.
Thanks for the detailed information. I didn't know there exists semanage export/import, nice option. I tested with new server(centos7), both export/import worked. But unfortunately our old server is really old! (fedora-14/2.6.35.14-106.fc14.i686) semanage export option is missing there.
Scripting way is nice idea.I tested with sample 6 accounts, it worked well. Overall, it took 15 seconds for 6 accounts with semanage import. This script method should work fine in our case. We will create script to write data into userlist file in above format then use it with centos7/semanage import. Thanks a lot of the help.
On Fri, Apr 21, 2017 at 12:26 AM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote:
That assumes you already have these users configured on a differentOn Thu, 2017-04-20 at 14:39 -0400, Stephen Smalley wrote:
> On Thu, 2017-04-20 at 23:14 +0530, Lakshmipathi.G wrote:
> > It takes 10 seconds to create user account,where as without -Z
> > option
> > it takes less a second. I tried changing SELinux to Permissive mode
> > or
> > try to use tmpfs for /etc/selinux mountpoint , both didn't help.The
> > problem is I'm re-creating 50000+ user accounts in a new server.
> > Looks
> > for options to speed-up this process. thanks for
> > any pointers/help.
> >
> > # time useradd --uid=20005 -Z guest_u u20005
> > real 0m10.194s
> > user 0m8.866s
> > sys 0m1.273s
> >
> > # time useradd --uid=20006 u20006
> > real 0m0.050s
> > user 0m0.018s
> > sys 0m0.021s
>
> Maybe an alternative until you get an updated libsemanage would be to
> transfer the SELinux configuration via semanage export/import and
> just
> run useradd without -Z. That way you can do all of the additions to
> seusers in a single transaction.
server from which you can run semanage export (I assumed that because
you said you were re-creating 50000+ user accounts). If not, then you
could essentially write a script to generate the input expected by
semanage import to add all the users. It would look something like
this:
$ cat userlist
login -a -s guest_u -r 's0' u20005
login -a -s guest_u -r 's0' u20006
...
$ <add all of the users with useradd first, without -Z>
$ sudo semanage import -f userlist
If you are instead using semanage export from an existing system with
the users already defined, be careful since it always starts with
commands to delete all local customizations before adding the new ones,
so you might not want to do that on your system. You can always delete
those lines from its output before feeding to semanage import.
_______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx