Bug 119948 - anaconda is very slow on updates (selinux)
anaconda is very slow on updates (selinux)
Product: Fedora
Classification: Fedora
Component: anaconda (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Jeremy Katz
Mike McLean
Depends On:
  Show dependency treegraph
Reported: 2004-04-03 19:53 EST by Michal Jaegermann
Modified: 2007-11-30 17:10 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2004-04-14 19:03:32 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Michal Jaegermann 2004-04-03 19:53:58 EST
Description of problem:

Updating a system which was not setup for selinux, but with
anaconda running that, the whole proces becomes really slow.
Not very formal attempts to measure a slowdown indicate that
this is at least a factor two and possibly quite a bit more.
This was tried with updates of, roughly, FC2t1 system to FC2t2.

The culprit seems to here to be indeed selinux as syslog quickly
collects tons of messages from audit.  Here are some samples:

<3>audit(1080959125.465:0): avc:  denied  { read } for  pid=11
exe=/sbin/init path=/proc/kmsg dev= ino=4106
tcontext=system_u:object_r:proc_kmsg_t tclass=file
<3>audit(1080959125.466:0): avc:  denied  { write } for  pid=12
exe=/sbin/loader name=exec dev= ino=786453
tcontext=system_u:system_r:kernel_t tclass=file
<3>audit(1080959125.468:0): avc:  denied  { write } for  pid=11
exe=/sbin/init path=/tmp/syslog dev= ino=754
tcontext=system_u:object_r:unlabeled_t tclass=file
<3>audit(1080959125.609:0): avc:  denied  { rlimitinh } for  pid=104
exe=/mnt/runtime/usr/bin/python scontext=system_u:system_r:kernel_t
tcontext=system_u:object_r:anaconda_t tclass=process
<3>audit(1080959307.505:0): avc:  denied  { search } for  pid=58
exe=/mnt/runtime/usr/bin/bash name=mnt dev=ram0 ino=116
tcontext=system_u:object_r:unlabeled_t tclass=dir
<3>audit(1080959307.505:0): avc:  denied  { getattr } for  pid=58
exe=/mnt/runtime/usr/bin/bash path=/mnt/runtime/usr/bin/busybox
dev=loop0 ino=16139404 scontext=system_u:system_r:kernel_t
tcontext=system_u:object_r:romfs_t tclass=file
<3>audit(1080959307.507:0): avc:  denied  { execute_no_trans } for 
pid=159 exe=/mnt/runtime/usr/bin/bash
path=/mnt/runtime/usr/bin/busybox dev=loop0 ino=16139404
scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:romfs_t
<3>audit(1080959424.139:0): avc:  denied  { getattr } for  pid=165
exe=/mnt/runtime/usr/bin/ls path=/tmp/updates dev= ino=1013
tcontext=system_u:object_r:unlabeled_t tclass=dir
and so on, and so on.

Booting with 'linux enforcing=0' does not seem to change really
anything.  Probably because anaconda starts selinux already in
a permissive mode.  OTOH with 'linux selinux=0' all these audit
messages disappear from logs and updating starts to move quite
a bit faster.

If anaconda cannot detect beforehand that file systems to be
updated are not set up for selinux, and turn it off,  then at
least it could offer a help message explaining how to update
without an excessive pain and where to look for an information
needed to convert (which will have to be done later anyway)
if so desired.

BTW - with a setup as described above every attempt to update
always "updates" compat-db-4.1.25-2.1 regardless which version
of that happens to be already installed.  No idea what is causing
this curious effect.

Version-Release number of selected component (if applicable):
anaconda-9.91-7 (probably)
Comment 1 Jeremy Katz 2004-04-14 19:03:32 EDT
Default for FC2 is to have SELinux off now, which mitigates hitting this.

Deferring as it will probably come back as default on later.
Comment 2 Michal Jaegermann 2004-04-14 22:00:28 EDT
I am afraid that I do not understand what is a mitigating factor
when running updates unless you want to do a label creation
the first step in anaconda.  This does not seem to be happening
right now.  Installations from scratch are not really a concern here.

Note You need to log in before you can comment on or make changes to this bug.