Re: A filename to label translation daemon

[Daniel J Walsh <dwalsh@redhat.com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/10/2012 09:35 AM, Russell Coker wrote:
> On Fri, 10 Aug 2012, Daniel J Walsh <dwalsh@redhat.com> wrote:
>>> What is kerberos doing under /tmp and why is it being done repeatedly
>>> by different processes?
>> 
>> Actually /var/tmp/HOST_0 /var/tmp/HTTP_23 ...  Kerberos Replay Cache. 
>> Every time someone contacts an apache server using kerberos it needs to 
>> update this file, it does this via mktemp (/tmpHTTPD_23XXXX), rename.
> 
> When replacing an existing file wouldn't it be better to just copy the
> context of the existing file when creating the replacement?  If there was
> some good reason for running chcon on such a file (and I can't imagine a
> reason but it's best to leave the options open IMHO) then having the
> context change back the next time someone connects seems like a bug.
> 
They use setfscreatecon, if file does not exist, it gets labeled incorrectly.
>>>> Running make install has caused a huge hit if you are running
>>>> thousands of install commands which caused the remove of labeling
>>>> from the install command.
>>> 
>>> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=638304
>>> 
>>> I believe that is a design bug in the SE Linux code in install, I've 
>>> filed the above Debian bug report about it.
>>> 
>>> I think that correct design of install wouldn't have a "make install" 
>>> performed as part of a dpkg or rpm build do any SE Linux checks.  That 
>>> would be faster than any other option.
>> 
>> Programmers and testers regularly run make install and this ends up
>> badly mislabling files all over the place, telling everyone they have to
>> use rpm or dpkg is not going to fly.
> 
> The current behavior of dpkg-buildpackage (and presumably a similar RPM
> build) producing lots of warning messages from install (depending on where
> you build it) isn't great either.
> 
> Would it be possible to have dpkg-buildpackage (and other relevant
> programs) set an environment variable to modify the behavior of install in
> such situations?
> 
> Also note that as install doesn't apply such contexts when creating 
> directories the problem of testers running "make install" isn't properly 
> solved with the current code.
> 
>>>> Systemd has been is executing the load load many many times and is 
>>>> showing up to 1 second slow down on startup.  If the startup is 10 
>>>> seconds, it is kind of hard to justify 10% slowdown on boot.
>>> 
>>> Wow, who's got a 10 second boot?
>>> 
>>> Is systemd loading the file contexts 100 times?  If not then why is it 
>>> taking a second?
>> 
>> 10 second boot is available with solid state machines.  Systemd has not 
>> seen the kind of performance that you are and obviously this is
>> sensitive to the speed of the CPU/Memory.
> 
> Why isn't systemd seeing the same performance?
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAlAnjTQACgkQrlYvE4MpobM2YQCgpErvn+KDksgOSNHiGJfiJ+x0
07cAn2atoTxS/sAAR3/lOtsOIfAeygmM
=IrXz
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.