[PATCH] libsemanage: improve performance of semanage store rebuild

Petr Lautrbach <lautrbach@xxxxxxxxxx> · Tue, 25 Feb 2025 08:55:23 +0100

Commit 9d107ab77ba4 ("libsemanage: Set new restorecon handle before doing restorecon
") added reopeniong selabel handle every time semanage_setfiles() is
called. It means that during `semodule -B`, `selabel_close()` and
`selabel_open()` could be called more than 1800x what could have a
significant performance impact.

It should be enough to reopen selabel handle just after semanage commit
when changes are applied.

Before 9d107ab77ba4:
    semodule -B  5.84s user 0.52s system 96% cpu 6.585 total

After 9d107ab77ba4:
    semodule -B  11.15s user 0.64s system 98% cpu 11.952 total

With this patch:
    semodule -B  5.51s user 0.41s system 98% cpu 6.014 total

Signed-off-by: Petr Lautrbach <lautrbach@xxxxxxxxxx>
---
 libsemanage/src/semanage_store.c | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/libsemanage/src/semanage_store.c b/libsemanage/src/semanage_store.c
index cf9aa809b7f8..307f27f9838b 100644
--- a/libsemanage/src/semanage_store.c
+++ b/libsemanage/src/semanage_store.c
@@ -1712,6 +1712,7 @@ static int semanage_commit_sandbox(semanage_handle_t * sh)
 	    semanage_path(SEMANAGE_PREVIOUS, SEMANAGE_TOPLEVEL);
 	const char *sandbox = semanage_path(SEMANAGE_TMP, SEMANAGE_TOPLEVEL);
 	struct stat buf;
+	struct selabel_handle *sehandle;
 
 	/* update the commit number */
 	if ((commit_number = semanage_direct_get_serial(sh)) < 0) {
@@ -1822,6 +1823,8 @@ static int semanage_commit_sandbox(semanage_handle_t * sh)
 
       cleanup:
 	semanage_release_active_lock(sh);
+	sehandle = selinux_restorecon_default_handle();
+	selinux_restorecon_set_sehandle(sehandle);
 	return retval;
 }
 
@@ -3012,14 +3015,10 @@ log_callback_mute(__attribute__((unused)) int type, __attribute__((unused)) cons
 void semanage_setfiles(semanage_handle_t * sh, const char *path){
 	struct stat sb;
 	int fd;
-	struct selabel_handle *sehandle;
 
 	union selinux_callback cb_orig = selinux_get_callback(SELINUX_CB_LOG);
 	union selinux_callback cb = { .func_log = log_callback_mute };
 
-	sehandle = selinux_restorecon_default_handle();
-	selinux_restorecon_set_sehandle(sehandle);
-
 	/* Mute all logs */
 	selinux_set_callback(SELINUX_CB_LOG, cb);
 
-- 
2.48.1








