9

I have noticed the command setsebool take longer time than other linux commands. Such as:

setsebool -P ftp_home_dir ON

Out of curiosity I want to know why "setsebool" command needs such a long time to complete the task?

Rui F Ribeiro
  • 56,709
  • 26
  • 150
  • 232
Xianlin
  • 1,033
  • 5
  • 14
  • 20
  • 1
    time setsebool -P ftp_home_dir ON. How long do you consider a long time? – jordanm Mar 13 '13 at 05:05
  • 1
    tried the command as above and "real" time is about 30 sec. Usually a normal linux command time setenforce 0will give about 0.011 sec "real" time. I feel 30 sec is a bit long and wondering what is happening at the backend? – Xianlin Mar 13 '13 at 08:59
  • strace -f setsebool -P ftp_home_dir ON and see where exactly it's taking its sweet time. – Flup Mar 13 '13 at 15:14
  • I think I need more programming knowledge to understand the strace output..I guess it is because selinux involves too many "deep" level changes on the linux system and that is why it takes so much time to complete one command. – Xianlin Mar 15 '13 at 07:15
  • Does SELinux need to re-compile it's rules when you make a change? I thought I recall reading that somewhere. – ellipse-of-uncertainty Aug 17 '13 at 14:21

1 Answers1

5

The reason it is so slow is because it is performing a full compile of the policy when you run the command. (See this BZ: https://bugzilla.redhat.com/show_bug.cgi?id=811656, Dan Walsh is one of the maintainers of the SELinux policy on RHEL and Fedora). It has been fixed in later versions of Fedora, which means it'll probably end up fixed in EL7 and possibly in later releases of EL6.

jsbillings
  • 24,406