Bug 2066673

Summary: Adjust default config values
Product: Red Hat Enterprise Linux 8 Reporter: Marko Myllynen <myllynen>
Component: fapolicydAssignee: Radovan Sroka <rsroka>
Status: CLOSED CURRENTRELEASE QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.6CC: sgrubb
Target Milestone: rcKeywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-08-02 12:28:35 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Marko Myllynen 2022-03-22 10:09:02 UTC 
Description of problem:
Some of the RHEL default fapolicyd config values are unintuitive.

Upstream default for db_max_size is 100, Steve said 50 was needed in his environment, but RHEL RPM uses 40. Is it really worth trying to save 10MB here if that's not adequate enough in some environments? How about syncing upstream and the RHEL default?

obj_cache_size default is 4096 but RHEL default is 8191 (sic). If db_max_size was minimal compared to upstream then why is this doubled? And why 8191 instead of 8192?

I'm not qualified to review all the default values but I'd hope the RHEL/upstream defaults would be more in sync and there would be some consistency in setting non-default values on RHEL (e.g., why minimize one when doubling the other).

Version-Release number of selected component (if applicable):
fapolicyd-1.1-1.el8.x86_64
Comment 1 Steve Grubb 2022-07-19 16:33:38 UTC 
The value 8191 is chosen because it is a prime number. Prime numbers are recommended to prevent collisions in the LRU lookup. This is documented in the performance part of README.md. The default values you are seeing are simply old values from old packages. Newer packages have newer numbers.
Comment 2 Radovan Sroka 2022-08-02 12:28:35 UTC 
Closing with CURRENT RELEASE resolution.
Comment 3 Steve Grubb 2022-08-03 16:00:59 UTC 
Also, one last thing...faploicyd-1.1.4 adds --check-status to fapolicyd-cli so that you can see at any time what metrics the daemon is keeping.