On Mon, Mar 3, 2014 at 12:24 PM, Laurent Bigonville <bi...@debian.org> wrote: > Le Mon, 03 Mar 2014 12:11:56 -0500, > Zack Weinberg <za...@panix.com> a écrit : >> But I think 15 seconds is still too slow. It *appears* that the >> primary effect of "semodule -d NAME" is equivalent to "touch >> /etc/selinux/default/modules/active/modules/NAME.pp.disabled", so >> what on earth is it doing that takes more than a few milliseconds? > > Well not only, it's also rebuilding the policy file under /etc/selinux > and reloading it in the kernel, you could try to use -N, the policy will > still be rebuilt but not reloaded in the kernel. > > Otherwise, you could just create the .disabled files by hand and then > run semodule -B.
semodule -N makes no real difference. Starting from an installation with nearly everything disabled: # time semodule -e mongodb; \ time semodule -d mongodb; \ time semodule -N -e mongodb; \ time semodule -N -d mongodb real 0m47.702s user 0m41.455s sys 0m4.236s real 0m45.268s user 0m41.943s sys 0m2.216s real 0m55.563s user 0m53.191s sys 0m2.344s real 0m43.305s user 0m41.851s sys 0m1.448s (mongodb picked more or less at random as a leaf module). > I'm not sure this is a bug. Well, I would ask that you consider two changes. Short term, warn people in the documentation that semodule -e/-d can be very slow and, for bulk operations, suggest manually creating or removing .disabled files and then running semodule -B. Long term, work on making the process of rebuilding the policy more efficient. zw -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
