Proposed patch to lisemanage/policycoreutils patches to not run genhomedircon/setfiles when setting booleans.

Proposed patch to lisemanage/policycoreutils patches to not run genhomedircon/setfiles when setting booleans.

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 173 bytes --]

Takes about 2 seconds off the time to rebuild policy and lots more if 
you are backending your passwd database with ldap.  Or have many 
different locations for homedirs.



[-- Attachment #2: libsemanage-rhat.patch --]
[-- Type: text/x-patch, Size: 3572 bytes --]

diff --exclude-from=exclude -N -u -r nsalibsemanage/include/semanage/handle.h libsemanage-2.0.3/include/semanage/handle.h
--- nsalibsemanage/include/semanage/handle.h	2007-07-16 14:20:37.000000000 -0400
+++ libsemanage-2.0.3/include/semanage/handle.h	2007-07-18 15:10:54.000000000 -0400
@@ -69,6 +69,10 @@
  * 1 for yes, 0 for no (default) */
 void semanage_set_create_store(semanage_handle_t * handle, int create_store);
 
+/* set whether to generate homedir file context
+ * 1 for yes (default), 0 for no */
+void semanage_set_rebuild_file_context(semanage_handle_t * handle, int do_rebuild_file_context);
+
 /* Check whether policy is managed via libsemanage on this system.
  * Must be called prior to trying to connect.
  * Return 1 if policy is managed via libsemanage on this system,
diff --exclude-from=exclude -N -u -r nsalibsemanage/src/handle.c libsemanage-2.0.3/src/handle.c
--- nsalibsemanage/src/handle.c	2007-07-16 14:20:38.000000000 -0400
+++ libsemanage-2.0.3/src/handle.c	2007-07-18 15:10:54.000000000 -0400
@@ -68,6 +68,7 @@
 	/* By default do not create store */
 	sh->create_store = 0;
 
+	sh->do_rebuild_file_context = 1;
 	/* Set timeout: some default value for now, later use config */
 	sh->timeout = SEMANAGE_COMMIT_READ_WAIT;
 
@@ -100,6 +101,15 @@
 	return;
 }
 
+void semanage_set_rebuild_file_context(semanage_handle_t * sh, int do_rebuild_file_context)
+{
+
+	assert(sh != NULL);
+
+	sh->do_rebuild_file_context = do_rebuild_file_context;
+	return;
+}
+
 void semanage_set_create_store(semanage_handle_t * sh, int create_store)
 {
 
diff --exclude-from=exclude -N -u -r nsalibsemanage/src/handle.h libsemanage-2.0.3/src/handle.h
--- nsalibsemanage/src/handle.h	2007-07-16 14:20:38.000000000 -0400
+++ libsemanage-2.0.3/src/handle.h	2007-07-18 15:10:54.000000000 -0400
@@ -58,6 +58,7 @@
 	int is_connected;
 	int is_in_transaction;
 	int do_reload;		/* whether to reload policy after commit */
+	int do_rebuild_file_context;	/* whether to generate homedircontext */
 	int do_rebuild;		/* whether to rebuild policy if there were no changes */
 	int modules_modified;
 	int create_store;	/* whether to create the store if it does not exist
diff --exclude-from=exclude -N -u -r nsalibsemanage/src/libsemanage.map libsemanage-2.0.3/src/libsemanage.map
--- nsalibsemanage/src/libsemanage.map	2007-07-16 14:20:38.000000000 -0400
+++ libsemanage-2.0.3/src/libsemanage.map	2007-07-18 15:10:54.000000000 -0400
@@ -9,6 +9,7 @@
 	  semanage_module_list_nth; semanage_module_get_name;
 	  semanage_module_get_version; semanage_select_store;
 	  semanage_reload_policy; semanage_set_reload; semanage_set_rebuild;
+	  semanage_set_rebuild_file_context;
 	  semanage_user_*; semanage_bool_*; semanage_seuser_*;
 	  semanage_iface_*; semanage_port_*; semanage_context_*;
 	  semanage_node_*;
diff --exclude-from=exclude -N -u -r nsalibsemanage/src/semanage_store.c libsemanage-2.0.3/src/semanage_store.c
--- nsalibsemanage/src/semanage_store.c	2007-07-16 14:20:38.000000000 -0400
+++ libsemanage-2.0.3/src/semanage_store.c	2007-07-18 15:18:06.000000000 -0400
@@ -1120,7 +1120,7 @@
 
       skip_reload:
 
-	if ((r =
+	if (sh->do_rebuild_file_context && (r =
 	     semanage_exec_prog(sh, sh->conf->setfiles, store_pol,
 				store_fc)) != 0) {
 		ERR(sh, "setfiles returned error code %d.", r);
@@ -1262,7 +1262,7 @@
 		goto cleanup;
 	}
 
-	if ((retval =
+	if (sh->do_rebuild_file_context && (retval =
 	     semanage_exec_prog(sh, sh->conf->genhomedircon,
 				sh->conf->store_path, "")) != 0) {
 		ERR(sh, "genhomedircon returned error code %d.", retval);

[-- Attachment #3: policycoreutils-rhat.patch --]
[-- Type: text/x-patch, Size: 557 bytes --]

diff --exclude-from=exclude --exclude=sepolgen-1.0.8 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setsebool/setsebool.c policycoreutils-2.0.22/setsebool/setsebool.c
--- nsapolicycoreutils/setsebool/setsebool.c	2007-07-16 14:20:41.000000000 -0400
+++ policycoreutils-2.0.22/setsebool/setsebool.c	2007-07-18 15:40:39.000000000 -0400
@@ -126,6 +126,7 @@
 	if (semanage_begin_transaction(handle) < 0)
 		goto err;
 
+	semanage_set_rebuild_file_context(handle, 0);
 	for (j = 0; j < boolcnt; j++) {
 
 		if (semanage_bool_create(handle, &boolean) < 0)

Re: Proposed patch to lisemanage/policycoreutils patches to not run genhomedircon/setfiles when setting booleans.

[Stephen Smalley]

On Wed, 2007-07-18 at 15:54 -0400, Daniel J Walsh wrote:
> Takes about 2 seconds off the time to rebuild policy and lots more if 
> you are backending your passwd database with ldap.  Or have many 
> different locations for homedirs.

The way this should work is libsemanage should internally know what
needs to be rebuilt and only rebuild those things.  Not require the
caller to enable/disable parts.
 
-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Proposed patch to lisemanage/policycoreutils patches to not run genhomedircon/setfiles when setting booleans.

[Daniel J Walsh]

Stephen Smalley wrote:
> On Wed, 2007-07-18 at 15:54 -0400, Daniel J Walsh wrote:
>   
>> Takes about 2 seconds off the time to rebuild policy and lots more if 
>> you are backending your passwd database with ldap.  Or have many 
>> different locations for homedirs.
>>     
>
> The way this should work is libsemanage should internally know what
> needs to be rebuilt and only rebuild those things.  Not require the
> caller to enable/disable parts.
>  
>   
I tend to agree, but this at least meets my short term goals.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Proposed patch to lisemanage/policycoreutils patches to not run genhomedircon/setfiles when setting booleans.

[Stephen Smalley]

On Fri, 2007-07-20 at 16:32 -0400, Daniel J Walsh wrote:
> Stephen Smalley wrote:
> > On Wed, 2007-07-18 at 15:54 -0400, Daniel J Walsh wrote:
> >   
> >> Takes about 2 seconds off the time to rebuild policy and lots more if 
> >> you are backending your passwd database with ldap.  Or have many 
> >> different locations for homedirs.
> >>     
> >
> > The way this should work is libsemanage should internally know what
> > needs to be rebuilt and only rebuild those things.  Not require the
> > caller to enable/disable parts.
> >  
> >   
> I tend to agree, but this at least meets my short term goals.

Understood, but I don't think we want this approach upstream.  Joshua?
Karl?  

I'd rather work through the internal issues of libsemanage, as we want
that anyway so that e.g. semanage login -a doesn't rebuild policy either
(that was the whole point of moving Linux users out of policy, but
libsemanage today still rebuilds everything!).

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Proposed patch to lisemanage/policycoreutils patches to not run genhomedircon/setfiles when setting booleans.

[Daniel J Walsh]

Stephen Smalley wrote:
> On Fri, 2007-07-20 at 16:32 -0400, Daniel J Walsh wrote:
>   
>> Stephen Smalley wrote:
>>     
>>> On Wed, 2007-07-18 at 15:54 -0400, Daniel J Walsh wrote:
>>>   
>>>       
>>>> Takes about 2 seconds off the time to rebuild policy and lots more if 
>>>> you are backending your passwd database with ldap.  Or have many 
>>>> different locations for homedirs.
>>>>     
>>>>         
>>> The way this should work is libsemanage should internally know what
>>> needs to be rebuilt and only rebuild those things.  Not require the
>>> caller to enable/disable parts.
>>>  
>>>   
>>>       
>> I tend to agree, but this at least meets my short term goals.
>>     
>
> Understood, but I don't think we want this approach upstream.  Joshua?
> Karl?  
>
> I'd rather work through the internal issues of libsemanage, as we want
> that anyway so that e.g. semanage login -a doesn't rebuild policy either
> (that was the whole point of moving Linux users out of policy, but
> libsemanage today still rebuilds everything!).
>
>   
Actually semanage login -a would need to run genhomedircon

semanage login - Needs genhomedircon

semanage user needs genhomedircon, rebuild policy

semanage port, interface needs rebuild policy

semodule needs rebuild policy and genhomedircon

semanage fcontext needs genhomedircon, or maybe nothing.

setsebool either needs nothing or rebuild policy.





--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Proposed patch to lisemanage/policycoreutils patches to not run genhomedircon/setfiles when setting booleans.

[Joshua Brindle]

Stephen Smalley wrote:
> On Fri, 2007-07-20 at 16:32 -0400, Daniel J Walsh wrote:
>   
>> Stephen Smalley wrote:
>>     
>>> On Wed, 2007-07-18 at 15:54 -0400, Daniel J Walsh wrote:
>>>   
>>>       
>>>> Takes about 2 seconds off the time to rebuild policy and lots more if 
>>>> you are backending your passwd database with ldap.  Or have many 
>>>> different locations for homedirs.
>>>>     
>>>>         
>>> The way this should work is libsemanage should internally know what
>>> needs to be rebuilt and only rebuild those things.  Not require the
>>> caller to enable/disable parts.
>>>  
>>>   
>>>       
>> I tend to agree, but this at least meets my short term goals.
>>     
>
> Understood, but I don't think we want this approach upstream.  Joshua?
> Karl?  
>
> I'd rather work through the internal issues of libsemanage, as we want
> that anyway so that e.g. semanage login -a doesn't rebuild policy either
> (that was the whole point of moving Linux users out of policy, but
> libsemanage today still rebuilds everything!).
>
>   
I agree, I'll see what I can do about getting someone to work on this, 
perhaps after the genhomedircon in libsemanage work is done we can look 
at this (won't be long now, we've been getting the necessary stuff 
merged into ustr so we can use that for string manipulations)


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.