Le Mon, 03 Mar 2014 12:11:56 -0500, Zack Weinberg <za...@panix.com> a écrit :
> On 2014-03-02 8:14 PM, Laurent Bigonville wrote: > > Le Sun, 02 Mar 2014 17:09:39 -0500, > > Zack Weinberg <za...@panix.com> a écrit : > > > >> Enabling or disabling any SELinux module with `semodule -e` / `-d` > >> takes approximately one minute, which makes manual module > >> selection an exercise in frustration. It should take no more than > >> a second or two. > > > > On my machine here it takes around 15s. > > I am working with a probably-underprovisioned cloud VM, so I'm not > surprised it's slower for me. > > But I think 15 seconds is still too slow. It *appears* that the > primary effect of "semodule -d NAME" is equivalent to "touch > /etc/selinux/default/modules/active/modules/NAME.pp.disabled", so > what on earth is it doing that takes more than a few milliseconds? Well not only, it's also rebuilding the policy file under /etc/selinux and reloading it in the kernel, you could try to use -N, the policy will still be rebuilt but not reloaded in the kernel. Otherwise, you could just create the .disabled files by hand and then run semodule -B. > > > Could you check in /etc/selinux/semanage.conf if it contains > > a line with "expand-check=0"? > > Yes, it does. > > root@REDACTED # grep expand-check /etc/selinux/semanage.conf > # expand-check check neverallow rules when executing all semanage > commands. expand-check=0 That's correct, without this parameter it might be even longer. I'm not sure this is a bug. Cheers, Laurent Bigonville -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
