transactions in semanage

transactions in semanage

[Russell Coker]

Has anyone considered a batch/transaction interface for semanage?

The idea would be that you could redirect input from a script containing a 
list of commands, and either all of them would succeed and be committed to 
disk or none of the changes would apply and an error message would inform the 
user of the cause of the problem.

The first benefit of this would be an improvement in run-time.  Currently 
semanage can be quite time consuming on a low-end system and if you have a 
large number of commands to run (EG a for loop that has each iteration adding 
a number of fcontext rules or user identities) then it could be a real drag.

But having the transactional property as well would also be a good benefit.  
While it's possible to implement the same thing in shell code a basic 
transactional property would be handy - and save shell coding errors.

-- 
russell@coker.com.au
http://etbe.coker.com.au/          My Main Blog
http://doc.coker.com.au/           My Documents Blog

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: transactions in semanage

[Kyle Moffett]

Hi Russell!

On Sun, Jul 18, 2010 at 08:05, Russell Coker <russell@coker.com.au> wrote:
> Has anyone considered a batch/transaction interface for semanage?
>
> The idea would be that you could redirect input from a script containing a
> list of commands, and either all of them would succeed and be committed to
> disk or none of the changes would apply and an error message would inform the
> user of the cause of the problem.
>
> The first benefit of this would be an improvement in run-time.  Currently
> semanage can be quite time consuming on a low-end system and if you have a
> large number of commands to run (EG a for loop that has each iteration adding
> a number of fcontext rules or user identities) then it could be a real drag.

This sounds like a good direction to move in, but if you're interested
in run-time there's much lower hanging fruit.  Matt Robertson (a
coworker of mine) just posted a relatively short patch that cuts 80%
off the runtime of the "semodule" by allowing dynamically-sized hash
tables.  Specifically, in his original profile results a simple
"semodule -i" was spending a whopping 50% of its time in strcmp().

It looks like a substantial additional reduction can be obtained by
adding support for lzma or gzip compression (or maybe even disable it
entirely) instead of the CPU-intensive bzip2.  On top of that, there
seem to be at least a few O(X^2) algorithms that may be rewritten for
efficiency.

So while I personally think that a transactional interface would be
good (perhaps similar to "iptables-load" and "iptables-restore"?),
there's much more important things to fix with regards to runtime.
Asking that the admin wait 2 minutes to add a new SELinux user is just
a bit much :-D.

Cheers,
Kyle Moffett


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: transactions in semanage

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/18/2010 01:54 PM, Kyle Moffett wrote:
> Hi Russell!
> 
> On Sun, Jul 18, 2010 at 08:05, Russell Coker <russell@coker.com.au> wrote:
>> Has anyone considered a batch/transaction interface for semanage?
>>
>> The idea would be that you could redirect input from a script containing a
>> list of commands, and either all of them would succeed and be committed to
>> disk or none of the changes would apply and an error message would inform the
>> user of the cause of the problem.
>>
>> The first benefit of this would be an improvement in run-time.  Currently
>> semanage can be quite time consuming on a low-end system and if you have a
>> large number of commands to run (EG a for loop that has each iteration adding
>> a number of fcontext rules or user identities) then it could be a real drag.
> 
> This sounds like a good direction to move in, but if you're interested
> in run-time there's much lower hanging fruit.  Matt Robertson (a
> coworker of mine) just posted a relatively short patch that cuts 80%
> off the runtime of the "semodule" by allowing dynamically-sized hash
> tables.  Specifically, in his original profile results a simple
> "semodule -i" was spending a whopping 50% of its time in strcmp().
> 
> It looks like a substantial additional reduction can be obtained by
> adding support for lzma or gzip compression (or maybe even disable it
> entirely) instead of the CPU-intensive bzip2.  On top of that, there
> seem to be at least a few O(X^2) algorithms that may be rewritten for
> efficiency.
> 
> So while I personally think that a transactional interface would be
> good (perhaps similar to "iptables-load" and "iptables-restore"?),
> there's much more important things to fix with regards to runtime.
> Asking that the admin wait 2 minutes to add a new SELinux user is just
> a bit much :-D.
> 
> Cheers,
> Kyle Moffett
> 
> 
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.

Not well documented bug
semanage -S targeted -i - << _EOF
login -a -s xguest_u xguest
boolean -m --on allow_polyinstantiation
boolean -m --on xguest_connect_network
boolean -m --on xguest_mount_media
boolean -m --on xguest_use_bluetooth
_EOF


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkxEWhMACgkQrlYvE4MpobPKcQCfR6vyXy7wYLrLCuaqSp0xXw3n
7qAAoIETCfI2HKDLvEKMK9Gn/EDJvpMX
=72ry
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: transactions in semanage

[Russell Coker]

[-- Attachment #1: Type: Text/Plain, Size: 312 bytes --]

On Mon, 19 Jul 2010, Daniel J Walsh <dwalsh@redhat.com> wrote:
> Not well documented bug
> semanage -S targeted -i - << _EOF

Thanks for that, I have attached a patch for the man page.

-- 
russell@coker.com.au
http://etbe.coker.com.au/          My Main Blog
http://doc.coker.com.au/           My Documents Blog

[-- Attachment #2: diff --]
[-- Type: text/x-patch, Size: 487 bytes --]

--- /tmp/semanage.8	2010-07-20 12:31:17.758929241 +1000
+++ ./semanage/semanage.8	2010-07-20 12:33:24.406954909 +1000
@@ -21,6 +21,8 @@
 .br
 .B semanage permissive \-{a|d} type
 .br
+.B semanage -i command-file
+.br
 .B semanage dontaudit [ on | off ]
 .P
 
@@ -99,6 +101,10 @@
 .TP
 .I                \-t, \-\-type       
 SELinux Type for the object
+.TP
+.I                \-i
+Take a set of commands from a specified file and load them in a single
+transaction.
 
 .SH EXAMPLE
 .nf