Ok, sounds like I could get around this by linking SASL against a different set of Kerberos libraries and a bit of selinux policy to allow the cache to work weather or not it is labeled correctly for selinux.
Thanks Nalin Matt On Mon, 2012-09-10 at 21:45 -0400, Nalin Dahyabhai wrote: > On Mon, Sep 10, 2012 at 05:44:58PM -0600, Matthew B. Brookover wrote: > > It seems that sasl_server_start() takes 0.17 seconds to run with selinux > > is disabled and takes 1.28 seconds to run when selinux is enabled. > [snip] > > Some more details, the test system is running CentOS 6.3, which came > > with Cyrus SASL 2.1.23 and MIT Kerberos 1.9 libraries. I first noticed > > the problem with OpenLDAP 2.4.28. I have since compiled SASL 2.1.25 and > > confirmed the problem using the sample client and sample server. > > We have a local patch that we apply to try to keep replay caches (well, > anything libkrb5 creates) labeled correctly for SELinux. Up through > 6.2, the patch didn't cover the case of replay caches when they were > being flushed, and we fixed that for 6.3. It turned out that fixing > that came with a pretty big speed hit. We're tracking this as #845125 > and #846472 in our bugzilla [1] and are working on an update. > > HTH, > > Nalin > > [1] http://bugzilla.redhat.com/845125, http://bugzilla.redhat.com/846472
