Hello,

Not sure if I posted in the right category this message, but I think is related to kernel (comparing with hother categories that I had in the list).

On a linux FC9 box , just upgraded from FC8,
with:
kernel: 2.6.26.3-29.fc9.i686
selinux: 3.3.1-103.fc9

besides the modules that are already in the system (Default), I had to add a new module (local.pp - as the good documentation advices).

The thing is , when I load this module using semodule -i local.pp (or I remove it using semodule -r local.pp) it takes about 5 minutes to execute this operation.

Strangely, on FC8 (cannot remember kernel version or selinux version) was doing this operation in less than 10 seconds , even the module was much more bigger than this new one.

Does anybody has any ideea why this happens?

Thanks.

No idea since I don't know the difference between F8 and F9 policies, how much lines your local.pp's contained and what it affected. Since you only have to --install local.pp once after changes, does it really matter? Or do you make lots of changes?

Well basically yes, it is loaded only once, but imagine this:

you upgrade the kernel for example, then to install it you have to reboot the machine (or for some other reason you have to reboot the machine).

It takes 4 minutes to remove the module, and 4 minutes to install it (I am not 100% sure if when machine is shutting down is removing the module) - this increases quite much the reboot , generating downtime , and is not a good thing

For example, yesterday i've rebooted the machine remotely, and it was not answering after 5 minutes - I said , that's it, I am doomed - it will not start , so I have to contact somebody that is on-site. Ofcourse, after 5 more minutes it worked, but it was frustrating .

Regards.

So how often does that happen? And you could schedule a reboot to the least busy time, right?


A binary policy module gets installed and then gets used until replaced or removed. Rebooting doesn't mean removing and reinstalling the policy modules AFAIK.


Still I have no idea about the difference between F8 and F9 policies, how much lines your local.pp's contained and what it affects...

If we are to put things like that , indeed , it happens perhaps once/month. But this is not the point. Since it takes so much time, I am worried that perhaps something is wrong.

For me it is bothering because I am doing audit to see what needs to be allowed in the local.te module, so i do the semodule -i local.pp , quite many times. Actually from here I started to be worried, since the machine is quite powerfull, and is not overloaded (loadaverage is maximum 0.3).


Yes, but when the machine reboots, I belive it unloads the modules somehow. Is not removing them - or at least I am thinking about this since it takes about 10 minutes to reboot (load + unload selinux modules taking most of the time) - however this is a guess of mine and we should not discuss it, because is not so important.


local.te , contains about 900 lines. Is not so big (I had a bigger file before I did the upgrade).

In addition, I noted something else.
At some point, semodule -l , was showing me around 5-6 modules loaded (including local). At that time, I was doing some definitions in local.te , and i was doing this semodule install quite often, but it was taking maximum 30 seconds.
After a force reinstall to selinux packages (because i noticed that some contexts was not defined corectly), I noticed that i have now 76 modules loaded, and when i use semodule -i local.pp it takes way too much time.
These modules are defaults, I never set them to load/unload , but I am thinking, maybe the big number of modules is doing this. I tried even strace on semodule -i load.pp , but frankly i didn't understood too

Thanks

I find that use of --force most of the time is a failure to address the real problem. I'd start at the beginning with a clean load of packages and a clean policy and take it from there. Sure might be a hassle to clean things up but in the end you'll have a much better basis to operate on.

Well , indeed --force must be used with caution. I use it quite rarely. In this case, somebody performed an full upgrade to the machine , and selinux hanged during that upgrade , so it didn't finished the upgrade of the selinux packages (basically there wasn't all roles created, contexts and other stuff - for this reason when i was logging in it was saying "Unable to get valid context for [username]". After I rpm -Uhv --force all related packets of selinux , that error was gone and i saw all the roles created (by comparing to another machine). So I guess in this case --force was benefic (considering I simply re-did the upgrade of exactly the same packages).

What is very interesting is that today i've upgraded another box. The upgrade ran very smoothly, without absolutely no problem. But, the selinux modules load issue is exactly the same. It takes a lot of time loading them . Here we have a different box, but the same trouble.

Anyway,
Thank for hanging with me on this post. I guess the main think i have to do is to remove unused modules of selinux. I have a hunch, that this is taking so much time because of the unused modules that are loaded on boot.

Regards.

On to the Fedora users mailing list before filing a bug report then...