-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 07/18/2010 01:54 PM, Kyle Moffett wrote: > Hi Russell! > > On Sun, Jul 18, 2010 at 08:05, Russell Coker <russell@xxxxxxxxxxxx> wrote: >> Has anyone considered a batch/transaction interface for semanage? >> >> The idea would be that you could redirect input from a script containing a >> list of commands, and either all of them would succeed and be committed to >> disk or none of the changes would apply and an error message would inform the >> user of the cause of the problem. >> >> The first benefit of this would be an improvement in run-time. Currently >> semanage can be quite time consuming on a low-end system and if you have a >> large number of commands to run (EG a for loop that has each iteration adding >> a number of fcontext rules or user identities) then it could be a real drag. > > This sounds like a good direction to move in, but if you're interested > in run-time there's much lower hanging fruit. Matt Robertson (a > coworker of mine) just posted a relatively short patch that cuts 80% > off the runtime of the "semodule" by allowing dynamically-sized hash > tables. Specifically, in his original profile results a simple > "semodule -i" was spending a whopping 50% of its time in strcmp(). > > It looks like a substantial additional reduction can be obtained by > adding support for lzma or gzip compression (or maybe even disable it > entirely) instead of the CPU-intensive bzip2. On top of that, there > seem to be at least a few O(X^2) algorithms that may be rewritten for > efficiency. > > So while I personally think that a transactional interface would be > good (perhaps similar to "iptables-load" and "iptables-restore"?), > there's much more important things to fix with regards to runtime. > Asking that the admin wait 2 minutes to add a new SELinux user is just > a bit much :-D. > > Cheers, > Kyle Moffett > > > -- > This message was distributed to subscribers of the selinux mailing list. > If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with > the words "unsubscribe selinux" without quotes as the message. Not well documented bug semanage -S targeted -i - << _EOF login -a -s xguest_u xguest boolean -m --on allow_polyinstantiation boolean -m --on xguest_connect_network boolean -m --on xguest_mount_media boolean -m --on xguest_use_bluetooth _EOF -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkxEWhMACgkQrlYvE4MpobPKcQCfR6vyXy7wYLrLCuaqSp0xXw3n 7qAAoIETCfI2HKDLvEKMK9Gn/EDJvpMX =72ry -----END PGP SIGNATURE----- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
