Description of problem: # time setsebool -P deny_ptrace=false real 1m27.838s user 1m24.839s sys 0m0.700s I realize that opening this box might open an entire pandora's box of problems with how policy is assembled and built, but... 90 seconds to flip one boolean is awful. Version-Release number of selected component (if applicable): policycoreutils-2.1.10-29.fc17.x86_64 selinux-policy-3.10.0-110.fc17.noarch How reproducible: 100% Steps to Reproduce: 1. set a boolean 2. wait for it 3. wait for it Actual results: Slooooooooow Expected results: Fast. Ideally not much, if any, slower than setting a non-persistent boolean. Additional info:
Is this on a virtual machine? I see # time setsebool -P deny_ptrace=false real 0m13.920s user 0m12.718s sys 0m1.004s
No, bare hardware, Core i7. If there is something I can do to get a better profile of what it's doing (either a trace mode, or oprofile, or whatever), just ask.
It is doing a full compile of the policy. time setsebool -P deny_ptrace=true real 0m9.660s user 0m9.295s sys 0m0.251s ThinkPad X220 on SSD grep expand-check /etc/selinux/semanage.conf # expand-check check neverallow rules when executing all semanage commands. expand-check=0
Why is the compile so long on my box? (x201s, also ssd). expand-check is also 0 for me.
No clue. Is it repeatable?
Yes, happens every time.
Eric have any ideas?
Confirmed problem. Slow on my laptop too.
I believe we have a fix. But if you want it faster, and your system to be a little more secure. semodule -d unconfined Which will disable most of the unconfined domains on your system. unconfined_t will still work.
This is fixed in Fedora 18.