Red Hat Bugzilla – Bug 119948
anaconda is very slow on updates (selinux)
Last modified: 2007-11-30 17:10:39 EST
Description of problem: Updating a system which was not setup for selinux, but with anaconda running that, the whole proces becomes really slow. Not very formal attempts to measure a slowdown indicate that this is at least a factor two and possibly quite a bit more. This was tried with updates of, roughly, FC2t1 system to FC2t2. The culprit seems to here to be indeed selinux as syslog quickly collects tons of messages from audit. Here are some samples: <3>audit(1080959125.465:0): avc: denied { read } for pid=11 exe=/sbin/init path=/proc/kmsg dev= ino=4106 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:proc_kmsg_t tclass=file <3>audit(1080959125.466:0): avc: denied { write } for pid=12 exe=/sbin/loader name=exec dev= ino=786453 scontext=system_u:system_r:kernel_t tcontext=system_u:system_r:kernel_t tclass=file ... <3>audit(1080959125.468:0): avc: denied { write } for pid=11 exe=/sbin/init path=/tmp/syslog dev= ino=754 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:unlabeled_t tclass=file ... <3>audit(1080959125.609:0): avc: denied { rlimitinh } for pid=104 exe=/mnt/runtime/usr/bin/python scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:anaconda_t tclass=process ... <3>audit(1080959307.505:0): avc: denied { search } for pid=58 exe=/mnt/runtime/usr/bin/bash name=mnt dev=ram0 ino=116 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:unlabeled_t tclass=dir <3>audit(1080959307.505:0): avc: denied { getattr } for pid=58 exe=/mnt/runtime/usr/bin/bash path=/mnt/runtime/usr/bin/busybox dev=loop0 ino=16139404 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:romfs_t tclass=file <3>audit(1080959307.507:0): avc: denied { execute_no_trans } for pid=159 exe=/mnt/runtime/usr/bin/bash path=/mnt/runtime/usr/bin/busybox dev=loop0 ino=16139404 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:romfs_t tclass=file ... <3>audit(1080959424.139:0): avc: denied { getattr } for pid=165 exe=/mnt/runtime/usr/bin/ls path=/tmp/updates dev= ino=1013 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:unlabeled_t tclass=dir .... and so on, and so on. Booting with 'linux enforcing=0' does not seem to change really anything. Probably because anaconda starts selinux already in a permissive mode. OTOH with 'linux selinux=0' all these audit messages disappear from logs and updating starts to move quite a bit faster. If anaconda cannot detect beforehand that file systems to be updated are not set up for selinux, and turn it off, then at least it could offer a help message explaining how to update without an excessive pain and where to look for an information needed to convert (which will have to be done later anyway) if so desired. BTW - with a setup as described above every attempt to update always "updates" compat-db-4.1.25-2.1 regardless which version of that happens to be already installed. No idea what is causing this curious effect. Version-Release number of selected component (if applicable): anaconda-9.91-7 (probably)
Default for FC2 is to have SELinux off now, which mitigates hitting this. Deferring as it will probably come back as default on later.
I am afraid that I do not understand what is a mitigating factor when running updates unless you want to do a label creation the first step in anaconda. This does not seem to be happening right now. Installations from scratch are not really a concern here.