coreutils
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Make mv work better with SELinux.


From: Daniel J Walsh
Subject: Re: Make mv work better with SELinux.
Date: Wed, 05 Dec 2012 14:34:23 -0500
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/17.0 Thunderbird/17.0

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/04/2012 10:38 AM, Pádraig Brady wrote:
> On 10/08/2012 09:24 PM, Daniel J Walsh wrote:
>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>> 
>> One of if not the most common problem people hit with SELinux is the mv 
>> command, which maintains the file context of the source destination.
>> 
>> mv /home/dwalsh/index.html /var/www/html/
>> 
>> This blows up on everybody and then the users have no idea why.
>> 
>> I was thinking about adding -Z (--restorecon) to mv and having it
>> basically do a internal restorecon on the destination.
>> 
>> Then we could suggest people who get burnt by this to:
>> 
>> alias mv="mv -Z"
>> 
>> In Fedora 18 we have greatly enhanced matchpathcon, by pre-compiling the 
>> regex, so there should be very little slow down in doing this.
> 
> A question on performance. So there was a large matchpathcon() performance
> issue in Fedora 11 time, where we had a 20x slow down if
> matchpathcon_init_prefix() wasn't called 
> https://bugzilla.redhat.com/show_bug.cgi?id=479502#c24
> 
That should be fixed:

In Fedora 18 we have greatly enhanced matchpathcon, by pre-compiling the
regex, so there should be very little slow down in doing this.

We have seen a 40x speed up using the new version of matchpathcon.

> Does calling matchpathcon_init_prefix() still provide benefit on Fedora
> 18? More importantly, since the new selinux::restorecon_private() doesn't 
> call matchpathcon_init_prefix(), will it have the large performance issues
> on Fedora <= 17 and other SELinux supporting platforms?
> 
Yes, if you have a tight loop of mv -Z X Y, then you would take a hit on each
invocation.  Since this is optional, I do not see this as a problem.  The
install version was not optional, so a "make install" was exhibiting a huge
overhead.  Basically almost .33/sec slow down.  As of Fedora 18, there should
be very limited overhead so this should not be a problem.

matchpathcon_init_prefix theoretically would still give you a speed up, but I
don't believe it is measurable with the new libraries.

> Not a huge issue since install(1) enables setdefaultfilecon() by default, 
> whereas the new proposal would only enable when -Z is specified.
Yes I missed this, I though install had disabled this functionality altogether.
> That's an inconsistency in the patch in this thread actually. install -Z
> runs the new restorecon(), while also running the old setdefaultfilecon().
> Seems like we may need to drop the new install -Z code for now, and
> possible in future merge restorecon() and setdefaultfilecon()
Yes I agree.  This was my mistake
> 
> cheers, Pádraig.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iEYEARECAAYFAlC/ob8ACgkQrlYvE4MpobNZRQCfa0hlo19AOY8IGnRARqpQfHZO
gbcAnRX9S8YD+TPdXpKZK/kVct5HqUIm
=HU0c
-----END PGP SIGNATURE-----



reply via email to

[Prev in Thread] Current Thread [Next in Thread]