[prev in list] [next in list] [prev in thread] [next in thread]
List: fedora-selinux-list
Subject: Re: find invalid fcontext without autorelabeling
From: Daniel J Walsh <dwalsh () redhat ! com>
Date: 2014-10-25 10:55:14
Message-ID: 544B8192.7050400 () redhat ! com
[Download RAW message or body]
On 10/25/2014 03:32 AM, george karakou wrote:
> I disabled modules that i will never need. For example docker,cobbler
> and others from contrib. I thought that if the selinux engine would
> have to parse 1000 allow rules for every call parsing 800 would
> provide a faster decision. The rest would be denied. Anyway restorecon
> was the solution. Now i think it might be a good idea to run a
> weekly/monthly cronjob and have restorecon in it. I just cant remember
> when was the last time i run the command. It must have been over a year.
> Thanks
>
Well SELinux is highly optimized for reading the rules, so the first
time it looks up an access decision it is cached and never looked up
again (Unless the policy changes). Removing a few thousand rules is
probably not going to be measurably faster. But you will save some
kernel memory.
> On 10/24/2014 08:41 PM, Daniel J Walsh wrote:
>> It is doubtful disabling modules will not make SELinux run faster.
>>
>> You could have done something like
>>
>> find / -context="\*:unlabeled_t:\*" -print0 | restorecon -f - -0
>>
>> But
>>
>> restorecon -R /
>>
>> Would also work.
>>
>> On 10/24/2014 01:27 PM, george karakou wrote:
>>> It seems that restorecon -Rv / would do the trick, thanks
>>>
>>> On 10/24/2014 08:15 PM, Yusuf Hadiwinata wrote:
>>>> Hi
>>>>
>>>> You need to know the right security context and use semanage
>>>> fcontext -t
>>>> http_sys_content_t '/var/www/myweb' and run restoreconf for example
>>>>
>>> --
>>> selinux mailing list
>>> selinux@lists.fedoraproject.org
>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>
>>
>>
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic