[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Make mv work better with SELinux.
From: |
Daniel J Walsh |
Subject: |
Re: Make mv work better with SELinux. |
Date: |
Wed, 05 Dec 2012 14:34:23 -0500 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/17.0 Thunderbird/17.0 |
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 12/04/2012 10:38 AM, Pádraig Brady wrote:
> On 10/08/2012 09:24 PM, Daniel J Walsh wrote:
>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>>
>> One of if not the most common problem people hit with SELinux is the mv
>> command, which maintains the file context of the source destination.
>>
>> mv /home/dwalsh/index.html /var/www/html/
>>
>> This blows up on everybody and then the users have no idea why.
>>
>> I was thinking about adding -Z (--restorecon) to mv and having it
>> basically do a internal restorecon on the destination.
>>
>> Then we could suggest people who get burnt by this to:
>>
>> alias mv="mv -Z"
>>
>> In Fedora 18 we have greatly enhanced matchpathcon, by pre-compiling the
>> regex, so there should be very little slow down in doing this.
>
> A question on performance. So there was a large matchpathcon() performance
> issue in Fedora 11 time, where we had a 20x slow down if
> matchpathcon_init_prefix() wasn't called
> https://bugzilla.redhat.com/show_bug.cgi?id=479502#c24
>
That should be fixed:
In Fedora 18 we have greatly enhanced matchpathcon, by pre-compiling the
regex, so there should be very little slow down in doing this.
We have seen a 40x speed up using the new version of matchpathcon.
> Does calling matchpathcon_init_prefix() still provide benefit on Fedora
> 18? More importantly, since the new selinux::restorecon_private() doesn't
> call matchpathcon_init_prefix(), will it have the large performance issues
> on Fedora <= 17 and other SELinux supporting platforms?
>
Yes, if you have a tight loop of mv -Z X Y, then you would take a hit on each
invocation. Since this is optional, I do not see this as a problem. The
install version was not optional, so a "make install" was exhibiting a huge
overhead. Basically almost .33/sec slow down. As of Fedora 18, there should
be very limited overhead so this should not be a problem.
matchpathcon_init_prefix theoretically would still give you a speed up, but I
don't believe it is measurable with the new libraries.
> Not a huge issue since install(1) enables setdefaultfilecon() by default,
> whereas the new proposal would only enable when -Z is specified.
Yes I missed this, I though install had disabled this functionality altogether.
> That's an inconsistency in the patch in this thread actually. install -Z
> runs the new restorecon(), while also running the old setdefaultfilecon().
> Seems like we may need to drop the new install -Z code for now, and
> possible in future merge restorecon() and setdefaultfilecon()
Yes I agree. This was my mistake
>
> cheers, Pádraig.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/
iEYEARECAAYFAlC/ob8ACgkQrlYvE4MpobNZRQCfa0hlo19AOY8IGnRARqpQfHZO
gbcAnRX9S8YD+TPdXpKZK/kVct5HqUIm
=HU0c
-----END PGP SIGNATURE-----