coreutils-5.93-4 libsepol-1.9.41-1 libsemanage-1.3.59-1 libsetrans-0.1.8-1
Not sure if this is a coreutils bug or an selinux bug. Recently, I noticed that a 'make install' that called /usr/bin/install ran *very* slowly:
% time cp hello.c /tmp/hello.c real 0m0.040s user 0m0.008s sys 0m0.016s % time /usr/bin/install -c -m 644 hello.c /tmp/hello.c real 0m4.641s user 0m1.608s sys 0m0.388s
Literally 100 times slower. Gaak.
A bit of playing with strace showed why:
strace install -c -m 644 hello.c /tmp/hello.c
7,745 system calls. Of those, only 297 were *not* part of the 1,862 times that 'install' did an open/write/read/close of /selinux/context - once for every single file context type it found, whether or not it had anything to do with the file that was actually being installed.
This is a show-stopper guys - when something like this bloats a 'make install' from something that takes 2 minute into something that you don't bother checking until you get back from lunch, it *will* add dramatically to the "security takes waaaay too much resources" bandwagon.
Almost-full strace follows.
execve("/usr/bin/install", ["install", "-c", "-m", "644", "hello.c", "/tmp/hello.c"], [/* 56 vars */]) = 0 brk(0) = 0x805a000 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f16000 access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory) open("/etc/ld.so.cache", O_RDONLY) = 3 fstat64(3, {st_mode=S_IFREG|0644, st_size=72776, ...}) = 0 mmap2(NULL, 72776, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7f04000 close(3) = 0 open("/usr/lib/libacl.so.1", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\320\23"..., 512) = 512 fstat64(3, {st_mode=S_IFREG|0755, st_size=24996, ...}) = 0 mmap2(NULL, 27832, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb7efd000 mmap2(0xb7f03000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x5) = 0xb7f03000 close(3) = 0 open("/lib/libselinux.so.1", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0`2\0\000"..., 512) = 512 fstat64(3, {st_mode=S_IFREG|0755, st_size=83848, ...}) = 0 mmap2(NULL, 85008, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb7ee8000 mmap2(0xb7efc000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x14) = 0xb7efc000 close(3) = 0 open("/lib/libc.so.6", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0ZW\1\000"..., 512) = 512 fstat64(3, {st_mode=S_IFREG|0755, st_size=1460028, ...}) = 0 mmap2(NULL, 1227740, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb7dbc000 mmap2(0xb7ee2000, 16384, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x125) = 0xb7ee2000 mmap2(0xb7ee6000, 7132, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xb7ee6000 close(3) = 0 open("/usr/lib/libattr.so.1", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\220\v\0"..., 512) = 512 fstat64(3, {st_mode=S_IFREG|0755, st_size=32990, ...}) = 0 mmap2(NULL, 15376, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb7db8000 mmap2(0xb7dbb000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2) = 0xb7dbb000 close(3) = 0 open("/lib/libdl.so.2", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\0\f\0\000"..., 512) = 512 fstat64(3, {st_mode=S_IFREG|0755, st_size=13892, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7db7000 mmap2(NULL, 12408, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb7db3000 mmap2(0xb7db5000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1) = 0xb7db5000 close(3) = 0 open("/lib/libsepol.so.1", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\200#\0"..., 512) = 512 fstat64(3, {st_mode=S_IFREG|0755, st_size=204168, ...}) = 0 mmap2(NULL, 249380, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb7d76000 mmap2(0xb7da8000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x31) = 0xb7da8000 mmap2(0xb7da9000, 40484, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xb7da9000 close(3) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7d75000 set_thread_area({entry_number:-1 -> 6, base_addr:0xb7d756b0, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0 mprotect(0xb7db5000, 4096, PROT_READ) = 0 mprotect(0xb7ee2000, 8192, PROT_READ) = 0 mprotect(0xb7f30000, 4096, PROT_READ) = 0 munmap(0xb7f04000, 72776) = 0 access("/etc/selinux/", F_OK) = 0 brk(0) = 0x805a000 brk(0x807b000) = 0x807b000 open("/etc/selinux/config", O_RDONLY|O_LARGEFILE) = 3 fstat64(3, {st_mode=S_IFREG|0644, st_size=71, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f15000 read(3, "# Stray comment\nSELINUX=permissi"..., 4096) = 71 read(3, "", 4096) = 0 close(3) = 0 munmap(0xb7f15000, 4096) = 0 open("/proc/mounts", O_RDONLY|O_LARGEFILE) = 3 fstat64(3, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f15000 read(3, "rootfs / rootfs rw 0 0\n/dev/root"..., 1024) = 1024 close(3) = 0 munmap(0xb7f15000, 4096) = 0 open("/etc/ld.so.cache", O_RDONLY) = 3 fstat64(3, {st_mode=S_IFREG|0644, st_size=72776, ...}) = 0 mmap2(NULL, 72776, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7f04000 close(3) = 0 open("/lib/libsetrans.so.0", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0@\n\0\000"..., 512) = 512 fstat64(3, {st_mode=S_IFREG|0755, st_size=6804, ...}) = 0 mmap2(NULL, 9680, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb7d72000 mmap2(0xb7d74000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1) = 0xb7d74000 close(3) = 0 munmap(0xb7f04000, 72776) = 0 open("/selinux/mls", O_RDONLY|O_LARGEFILE) = 3 read(3, "1", 19) = 1 close(3) = 0 open("/etc/selinux/strict/setrans.conf", O_RDONLY|O_LARGEFILE) = 3 fstat64(3, {st_mode=S_IFREG|0644, st_size=594, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f15000 read(3, "#\n# Multi-Category Security tran"..., 4096) = 594 read(3, "", 4096) = 0 close(3) = 0 munmap(0xb7f15000, 4096) = 0 open("/proc/filesystems", O_RDONLY|O_LARGEFILE) = 3 read(3, "nodev\tsysfs\nnodev\trootfs\nnodev\tb"..., 4095) = 305 open("/proc/self/attr/current", O_RDONLY|O_LARGEFILE) = 4 read(4, "valdis:staff_r:staff_t:s0-s0:c0."..., 4095) = 37 close(4) = 0 close(3) = 0 open("/usr/lib/locale/locale-archive", O_RDONLY|O_LARGEFILE) = 3 fstat64(3, {st_mode=S_IFREG|0644, st_size=54054656, ...}) = 0 mmap2(NULL, 2097152, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7b72000 mmap2(NULL, 204800, PROT_READ, MAP_PRIVATE, 3, 0x121f) = 0xb7b40000 mmap2(NULL, 4096, PROT_READ, MAP_PRIVATE, 3, 0x2b89) = 0xb7b3f000 close(3) = 0 geteuid32() = 967 umask(0) = 022 stat64("/tmp/hello.c", {st_mode=S_IFREG|0644, st_size=35, ...}) = 0 stat64("hello.c", {st_mode=S_IFREG|0664, st_size=35, ...}) = 0 stat64("/tmp/hello.c", {st_mode=S_IFREG|0644, st_size=35, ...}) = 0 unlink("/tmp/hello.c") = 0 open("hello.c", O_RDONLY|O_LARGEFILE) = 3 fstat64(3, {st_mode=S_IFREG|0664, st_size=35, ...}) = 0 open("/tmp/hello.c", O_WRONLY|O_CREAT|O_LARGEFILE, 0100664) = 4 fstat64(4, {st_mode=S_IFREG|0664, st_size=0, ...}) = 0 fstat64(3, {st_mode=S_IFREG|0664, st_size=35, ...}) = 0 read(3, "main() {printf("Hello world!\n")"..., 4096) = 35 write(4, "main() {printf("Hello world!\n")"..., 35) = 35 read(3, "", 4096) = 0 close(4) = 0 close(3) = 0 setxattr("/tmp/hello.c", "system.posix_acl_access", "\x02\x00\x00\x00\x01\x00\x06\x00\xff\xff\xff\xff\x04\x00\x00\x00\xff\xff\xff\xff \x00\x00\x00\xff\xff\xff\xff", 28, 0) = -1 EOPNOTSUPP (Operation not supported) chmod("/tmp/hello.c", 0600) = 0 chown32("/tmp/hello.c", -1, -1) = 0 chmod("/tmp/hello.c", 0644) = 0 lstat64("/tmp/hello.c", {st_mode=S_IFREG|0644, st_size=35, ...}) = 0 open("/selinux/mls", O_RDONLY|O_LARGEFILE) = 3 read(3, "1", 19) = 1 close(3) = 0 open("/etc/selinux/strict/contexts/files/file_contexts", O_RDONLY|O_LARGEFILE) = 3 open("/etc/selinux/strict/contexts/files/file_contexts.homedirs", O_RDONLY|O_LARGEFILE) = 4 open("/etc/selinux/strict/contexts/files/file_contexts.local", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory) fstat64(3, {st_mode=S_IFREG|0644, st_size=114044, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7b3e000 read(3, "# Distro-specific customizations"..., 4096) = 4096 read(3, "b[^/]*\.so(\.[^/]*)* --\tsystem_u"..., 4096) = 4096 read(3, "ovable device...\n/dev/pd[a-d][^/"..., 4096) = 4096 read(3, "r:bin_t:s0\n/opt(/.*)?/sbin(/.*)?"..., 4096) = 4096 read(3, "*)?\tsystem_u:object_r:man_t:s0\n/"..., 4096) = 4096 read(3, "/usr/sbin/accton\t--\tsystem_u:obj"..., 4096) = 4096 read(3, "-\tsystem_u:object_r:amanda_user_"..., 4096) = 4096 read(3, "\n/var/run/\.?acpid\.socket\t-s\tsy"..., 4096) = 4096 read(3, "ject_r:comsat_exec_t:s0\n# consol"..., 4096) = 4096 read(3, "r:bin_t:s0\n/usr/lib(64)?/cups/cg"..., 4096) = 4096 read(3, "larm-notify.*\t--\tsystem_u:object"..., 4096) = 4096 read(3, "object_r:xferlog_t:s0\n/var/log/x"..., 4096) = 4096 read(3, "usr/lib/gnupg/.*\t--\tsystem_u:obj"..., 4096) = 4096 read(3, "_t:s0\n/etc/init\.d/.*\t\t--\tsystem"..., 4096) = 4096 read(3, "tem_u:object_r:innd_exec_t:s0\n# "..., 4096) = 4096 read(3, "--\tsystem_u:object_r:load_policy"..., 4096) = 4096 read(3, "ct_r:lvm_exec_t:s0\n/sbin/vgscan\t"..., 4096) = 4096 read(3, "luggerrc system_u:object_r:mozil"..., 4096) = 4096 read(3, "\t\tsystem_u:object_r:ntpd_log_t:s"..., 4096) = 4096 read(3, "\n/usr/sbin/postqueue\t--\tsystem_u"..., 4096) = 4096 read(3, "voxy(/.*)?\t\tsystem_u:object_r:pr"..., 4096) = 4096 read(3, "_u:object_r:samba_log_t:s0\n/var/"..., 4096) = 4096 read(3, "var_run_t:s0\n/var/run/snmpd\t\t-d\t"..., 4096) = 4096 read(3, "ct_r:traceroute_exec_t:s0\n/usr/b"..., 4096) = 4096 read(3, ":s0\n#/usr/local/vmware/[^/]*/.*\"..., 4096) = 4096 read(3, "on\n/usr/sbin/zebra\t\t--\tsystem_u:"..., 4096) = 4096 read(3, "tem_u:object_r:bin_t:s0\n/emul/ia"..., 4096) = 4096 read(3, "r:texrel_shlib_t:s0\n/usr/lib/lad"..., 4096) = 3452 read(3, "", 4096) = 0 fstat64(4, {st_mode=S_IFREG|0644, st_size=9381, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7b3d000 read(4, "\n#\n#\n# User-specific file contex"..., 4096) = 4096 read(4, "onts.cache-.*\t--\troot:object_r:s"..., 4096) = 4096 read(4, "me_t:s0\n/home/valdis/\.screenrc\t"..., 4096) = 1189 read(4, "", 4096) = 0 _llseek(3, 0, [0], SEEK_SET) = 0 _llseek(4, 0, [0], SEEK_SET) = 0 read(3, "# Distro-specific customizations"..., 4096) = 4096 open("/selinux/context", O_RDWR|O_LARGEFILE) = 5 write(5, "system_u:object_r:default_t:s0\0", 31) = 31 read(5, "system_u:object_r:default_t:s0\0", 4095) = 31 close(5) = 0 open("/selinux/context", O_RDWR|O_LARGEFILE) = 5 write(5, "system_u:object_r:root_t:s0\0", 28) = 28 read(5, "system_u:object_r:root_t:s0\0", 4095) = 28 close(5) = 0
(1,858 iterations of open/write/read/close deleted)
open("/selinux/context", O_RDWR|O_LARGEFILE) = 5 write(5, "valdis:object_r:staff_orbit_tmp_"..., 37) = 37 read(5, "valdis:object_r:staff_orbit_tmp_"..., 4095) = 37 close(5) = 0 open("/selinux/context", O_RDWR|O_LARGEFILE) = 5 write(5, "valdis:object_r:staff_orbit_tmp_"..., 37) = 37 read(5, "valdis:object_r:staff_orbit_tmp_"..., 4095) = 37 close(5) = 0 close(3) = 0 munmap(0xb7b3e000, 4096) = 0 close(4) = 0 munmap(0xb7b3d000, 4096) = 0 brk(0x863e000) = 0x863e000 close(1) = 0 munmap(0xb7d72000, 9680) = 0 exit_group(0) = ? Process 17917 detached
Valdis.Kletnieks@vt.edu wrote:
coreutils-5.93-4 libsepol-1.9.41-1 libsemanage-1.3.59-1 libsetrans-0.1.8-1
Not sure if this is a coreutils bug or an selinux bug. Recently, I noticed that a 'make install' that called /usr/bin/install ran *very* slowly:
% time cp hello.c /tmp/hello.c real 0m0.040s user 0m0.008s sys 0m0.016s % time /usr/bin/install -c -m 644 hello.c /tmp/hello.c real 0m4.641s user 0m1.608s sys 0m0.388s
Literally 100 times slower. Gaak.
A bit of playing with strace showed why:
strace install -c -m 644 hello.c /tmp/hello.c
7,745 system calls. Of those, only 297 were *not* part of the 1,862 times that 'install' did an open/write/read/close of /selinux/context - once for every single file context type it found, whether or not it had anything to do with the file that was actually being installed.
This is a show-stopper guys - when something like this bloats a 'make install' from something that takes 2 minute into something that you don't bother checking until you get back from lunch, it *will* add dramatically to the "security takes waaaay too much resources" bandwagon.
Almost-full strace follows.
execve("/usr/bin/install", ["install", "-c", "-m", "644", "hello.c", "/tmp/hello.c"], [/* 56 vars */]) = 0 brk(0) = 0x805a000 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f16000 access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory) open("/etc/ld.so.cache", O_RDONLY) = 3 fstat64(3, {st_mode=S_IFREG|0644, st_size=72776, ...}) = 0 mmap2(NULL, 72776, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7f04000 close(3) = 0 open("/usr/lib/libacl.so.1", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\320\23"..., 512) = 512 fstat64(3, {st_mode=S_IFREG|0755, st_size=24996, ...}) = 0 mmap2(NULL, 27832, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb7efd000 mmap2(0xb7f03000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x5) = 0xb7f03000 close(3) = 0 open("/lib/libselinux.so.1", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0`2\0\000"..., 512) = 512 fstat64(3, {st_mode=S_IFREG|0755, st_size=83848, ...}) = 0 mmap2(NULL, 85008, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb7ee8000 mmap2(0xb7efc000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x14) = 0xb7efc000 close(3) = 0 open("/lib/libc.so.6", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0ZW\1\000"..., 512) = 512 fstat64(3, {st_mode=S_IFREG|0755, st_size=1460028, ...}) = 0 mmap2(NULL, 1227740, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb7dbc000 mmap2(0xb7ee2000, 16384, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x125) = 0xb7ee2000 mmap2(0xb7ee6000, 7132, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xb7ee6000 close(3) = 0 open("/usr/lib/libattr.so.1", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\220\v\0"..., 512) = 512 fstat64(3, {st_mode=S_IFREG|0755, st_size=32990, ...}) = 0 mmap2(NULL, 15376, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb7db8000 mmap2(0xb7dbb000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2) = 0xb7dbb000 close(3) = 0 open("/lib/libdl.so.2", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\0\f\0\000"..., 512) = 512 fstat64(3, {st_mode=S_IFREG|0755, st_size=13892, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7db7000 mmap2(NULL, 12408, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb7db3000 mmap2(0xb7db5000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1) = 0xb7db5000 close(3) = 0 open("/lib/libsepol.so.1", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\200#\0"..., 512) = 512 fstat64(3, {st_mode=S_IFREG|0755, st_size=204168, ...}) = 0 mmap2(NULL, 249380, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb7d76000 mmap2(0xb7da8000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x31) = 0xb7da8000 mmap2(0xb7da9000, 40484, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xb7da9000 close(3) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7d75000 set_thread_area({entry_number:-1 -> 6, base_addr:0xb7d756b0, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0 mprotect(0xb7db5000, 4096, PROT_READ) = 0 mprotect(0xb7ee2000, 8192, PROT_READ) = 0 mprotect(0xb7f30000, 4096, PROT_READ) = 0 munmap(0xb7f04000, 72776) = 0 access("/etc/selinux/", F_OK) = 0 brk(0) = 0x805a000 brk(0x807b000) = 0x807b000 open("/etc/selinux/config", O_RDONLY|O_LARGEFILE) = 3 fstat64(3, {st_mode=S_IFREG|0644, st_size=71, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f15000 read(3, "# Stray comment\nSELINUX=permissi"..., 4096) = 71 read(3, "", 4096) = 0 close(3) = 0 munmap(0xb7f15000, 4096) = 0 open("/proc/mounts", O_RDONLY|O_LARGEFILE) = 3 fstat64(3, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f15000 read(3, "rootfs / rootfs rw 0 0\n/dev/root"..., 1024) = 1024 close(3) = 0 munmap(0xb7f15000, 4096) = 0 open("/etc/ld.so.cache", O_RDONLY) = 3 fstat64(3, {st_mode=S_IFREG|0644, st_size=72776, ...}) = 0 mmap2(NULL, 72776, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7f04000 close(3) = 0 open("/lib/libsetrans.so.0", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0@\n\0\000"..., 512) = 512 fstat64(3, {st_mode=S_IFREG|0755, st_size=6804, ...}) = 0 mmap2(NULL, 9680, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb7d72000 mmap2(0xb7d74000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1) = 0xb7d74000 close(3) = 0 munmap(0xb7f04000, 72776) = 0 open("/selinux/mls", O_RDONLY|O_LARGEFILE) = 3 read(3, "1", 19) = 1 close(3) = 0 open("/etc/selinux/strict/setrans.conf", O_RDONLY|O_LARGEFILE) = 3 fstat64(3, {st_mode=S_IFREG|0644, st_size=594, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f15000 read(3, "#\n# Multi-Category Security tran"..., 4096) = 594 read(3, "", 4096) = 0 close(3) = 0 munmap(0xb7f15000, 4096) = 0 open("/proc/filesystems", O_RDONLY|O_LARGEFILE) = 3 read(3, "nodev\tsysfs\nnodev\trootfs\nnodev\tb"..., 4095) = 305 open("/proc/self/attr/current", O_RDONLY|O_LARGEFILE) = 4 read(4, "valdis:staff_r:staff_t:s0-s0:c0."..., 4095) = 37 close(4) = 0 close(3) = 0 open("/usr/lib/locale/locale-archive", O_RDONLY|O_LARGEFILE) = 3 fstat64(3, {st_mode=S_IFREG|0644, st_size=54054656, ...}) = 0 mmap2(NULL, 2097152, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7b72000 mmap2(NULL, 204800, PROT_READ, MAP_PRIVATE, 3, 0x121f) = 0xb7b40000 mmap2(NULL, 4096, PROT_READ, MAP_PRIVATE, 3, 0x2b89) = 0xb7b3f000 close(3) = 0 geteuid32() = 967 umask(0) = 022 stat64("/tmp/hello.c", {st_mode=S_IFREG|0644, st_size=35, ...}) = 0 stat64("hello.c", {st_mode=S_IFREG|0664, st_size=35, ...}) = 0 stat64("/tmp/hello.c", {st_mode=S_IFREG|0644, st_size=35, ...}) = 0 unlink("/tmp/hello.c") = 0 open("hello.c", O_RDONLY|O_LARGEFILE) = 3 fstat64(3, {st_mode=S_IFREG|0664, st_size=35, ...}) = 0 open("/tmp/hello.c", O_WRONLY|O_CREAT|O_LARGEFILE, 0100664) = 4 fstat64(4, {st_mode=S_IFREG|0664, st_size=0, ...}) = 0 fstat64(3, {st_mode=S_IFREG|0664, st_size=35, ...}) = 0 read(3, "main() {printf("Hello world!\n")"..., 4096) = 35 write(4, "main() {printf("Hello world!\n")"..., 35) = 35 read(3, "", 4096) = 0 close(4) = 0 close(3) = 0 setxattr("/tmp/hello.c", "system.posix_acl_access", "\x02\x00\x00\x00\x01\x00\x06\x00\xff\xff\xff\xff\x04\x00\x00\x00\xff\xff\xff\xff \x00\x00\x00\xff\xff\xff\xff", 28, 0) = -1 EOPNOTSUPP (Operation not supported) chmod("/tmp/hello.c", 0600) = 0 chown32("/tmp/hello.c", -1, -1) = 0 chmod("/tmp/hello.c", 0644) = 0 lstat64("/tmp/hello.c", {st_mode=S_IFREG|0644, st_size=35, ...}) = 0 open("/selinux/mls", O_RDONLY|O_LARGEFILE) = 3 read(3, "1", 19) = 1 close(3) = 0 open("/etc/selinux/strict/contexts/files/file_contexts", O_RDONLY|O_LARGEFILE) = 3 open("/etc/selinux/strict/contexts/files/file_contexts.homedirs", O_RDONLY|O_LARGEFILE) = 4 open("/etc/selinux/strict/contexts/files/file_contexts.local", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory) fstat64(3, {st_mode=S_IFREG|0644, st_size=114044, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7b3e000 read(3, "# Distro-specific customizations"..., 4096) = 4096 read(3, "b[^/]*\.so(\.[^/]*)* --\tsystem_u"..., 4096) = 4096 read(3, "ovable device...\n/dev/pd[a-d][^/"..., 4096) = 4096 read(3, "r:bin_t:s0\n/opt(/.*)?/sbin(/.*)?"..., 4096) = 4096 read(3, "*)?\tsystem_u:object_r:man_t:s0\n/"..., 4096) = 4096 read(3, "/usr/sbin/accton\t--\tsystem_u:obj"..., 4096) = 4096 read(3, "-\tsystem_u:object_r:amanda_user_"..., 4096) = 4096 read(3, "\n/var/run/\.?acpid\.socket\t-s\tsy"..., 4096) = 4096 read(3, "ject_r:comsat_exec_t:s0\n# consol"..., 4096) = 4096 read(3, "r:bin_t:s0\n/usr/lib(64)?/cups/cg"..., 4096) = 4096 read(3, "larm-notify.*\t--\tsystem_u:object"..., 4096) = 4096 read(3, "object_r:xferlog_t:s0\n/var/log/x"..., 4096) = 4096 read(3, "usr/lib/gnupg/.*\t--\tsystem_u:obj"..., 4096) = 4096 read(3, "_t:s0\n/etc/init\.d/.*\t\t--\tsystem"..., 4096) = 4096 read(3, "tem_u:object_r:innd_exec_t:s0\n# "..., 4096) = 4096 read(3, "--\tsystem_u:object_r:load_policy"..., 4096) = 4096 read(3, "ct_r:lvm_exec_t:s0\n/sbin/vgscan\t"..., 4096) = 4096 read(3, "luggerrc system_u:object_r:mozil"..., 4096) = 4096 read(3, "\t\tsystem_u:object_r:ntpd_log_t:s"..., 4096) = 4096 read(3, "\n/usr/sbin/postqueue\t--\tsystem_u"..., 4096) = 4096 read(3, "voxy(/.*)?\t\tsystem_u:object_r:pr"..., 4096) = 4096 read(3, "_u:object_r:samba_log_t:s0\n/var/"..., 4096) = 4096 read(3, "var_run_t:s0\n/var/run/snmpd\t\t-d\t"..., 4096) = 4096 read(3, "ct_r:traceroute_exec_t:s0\n/usr/b"..., 4096) = 4096 read(3, ":s0\n#/usr/local/vmware/[^/]*/.*\"..., 4096) = 4096 read(3, "on\n/usr/sbin/zebra\t\t--\tsystem_u:"..., 4096) = 4096 read(3, "tem_u:object_r:bin_t:s0\n/emul/ia"..., 4096) = 4096 read(3, "r:texrel_shlib_t:s0\n/usr/lib/lad"..., 4096) = 3452 read(3, "", 4096) = 0 fstat64(4, {st_mode=S_IFREG|0644, st_size=9381, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7b3d000 read(4, "\n#\n#\n# User-specific file contex"..., 4096) = 4096 read(4, "onts.cache-.*\t--\troot:object_r:s"..., 4096) = 4096 read(4, "me_t:s0\n/home/valdis/\.screenrc\t"..., 4096) = 1189 read(4, "", 4096) = 0 _llseek(3, 0, [0], SEEK_SET) = 0 _llseek(4, 0, [0], SEEK_SET) = 0 read(3, "# Distro-specific customizations"..., 4096) = 4096 open("/selinux/context", O_RDWR|O_LARGEFILE) = 5 write(5, "system_u:object_r:default_t:s0\0", 31) = 31 read(5, "system_u:object_r:default_t:s0\0", 4095) = 31 close(5) = 0 open("/selinux/context", O_RDWR|O_LARGEFILE) = 5 write(5, "system_u:object_r:root_t:s0\0", 28) = 28 read(5, "system_u:object_r:root_t:s0\0", 4095) = 28 close(5) = 0
(1,858 iterations of open/write/read/close deleted)
open("/selinux/context", O_RDWR|O_LARGEFILE) = 5 write(5, "valdis:object_r:staff_orbit_tmp_"..., 37) = 37 read(5, "valdis:object_r:staff_orbit_tmp_"..., 4095) = 37 close(5) = 0 open("/selinux/context", O_RDWR|O_LARGEFILE) = 5 write(5, "valdis:object_r:staff_orbit_tmp_"..., 37) = 37 read(5, "valdis:object_r:staff_orbit_tmp_"..., 4095) = 37 close(5) = 0 close(3) = 0 munmap(0xb7b3e000, 4096) = 0 close(4) = 0 munmap(0xb7b3d000, 4096) = 0 brk(0x863e000) = 0x863e000 close(1) = 0 munmap(0xb7d72000, 9680) = 0 exit_group(0) = ? Process 17917 detached
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Sounds like that is probably the udev problem also.
On Wed, 2005-11-30 at 14:24 -0500, Daniel J Walsh wrote:
Sounds like that is probably the udev problem also.
The issue is the complete processing of file_contexts by matchpathcon_init() even when the caller is only going to do a single matchpathcon(). That costs us both in regex compilation time and in context validation/canonicalization time (the only change in the latter is that we now read back the canonical context from the kernel; we were already writing the context to the kernel to validate it). As the original user of matchpathcon was setfiles/restorecon, that was reasonable (we wanted the entire configuration). For udev and install, it isn't.
Solution is likely to provide a variant of matchpathcon_init() that allows the caller to specify a prefix, and only process file_contexts entries with that prefix.
On Wed, 2005-11-30 at 14:52 -0500, Stephen Smalley wrote:
On Wed, 2005-11-30 at 14:24 -0500, Daniel J Walsh wrote:
Sounds like that is probably the udev problem also.
The issue is the complete processing of file_contexts by matchpathcon_init() even when the caller is only going to do a single matchpathcon(). That costs us both in regex compilation time and in context validation/canonicalization time (the only change in the latter is that we now read back the canonical context from the kernel; we were already writing the context to the kernel to validate it). As the original user of matchpathcon was setfiles/restorecon, that was reasonable (we wanted the entire configuration). For udev and install, it isn't.
Solution is likely to provide a variant of matchpathcon_init() that allows the caller to specify a prefix, and only process file_contexts entries with that prefix.
Much of the install slowdown should be addressed by libselinux 1.27.28. We can also potentially improve that further by modifying install to use the new matchpathcon_init_prefix() interface, but some improvement should be immediately evident from the new libselinux.
selinux@lists.fedoraproject.org
-
Daniel J Walsh -
Stephen Smalley -
Valdis.Kletnieks@vt.edu