<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 TRANSITIONAL//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=UTF-8">
<META NAME="GENERATOR" CONTENT="GtkHTML/3.16.3">
</HEAD>
<BODY>
Ok, sounds like I could get around this by linking SASL against a different set of Kerberos libraries and a bit of selinux policy to allow the cache to work weather or not it is labeled correctly for selinux.<BR>
<BR>
Thanks Nalin<BR>
<BR>
Matt<BR>
On Mon, 2012-09-10 at 21:45 -0400, Nalin Dahyabhai wrote:
<BLOCKQUOTE TYPE=CITE>
<PRE>
<FONT COLOR="#000000">On Mon, Sep 10, 2012 at 05:44:58PM -0600, Matthew B. Brookover wrote:</FONT>
<FONT COLOR="#000000">> It seems that sasl_server_start() takes 0.17 seconds to run with selinux</FONT>
<FONT COLOR="#000000">> is disabled and takes 1.28 seconds to run when selinux is enabled.</FONT>
<FONT COLOR="#000000">[snip]</FONT>
<FONT COLOR="#000000">> Some more details, the test system is running CentOS 6.3, which came</FONT>
<FONT COLOR="#000000">> with Cyrus SASL 2.1.23 and MIT Kerberos 1.9 libraries. I first noticed</FONT>
<FONT COLOR="#000000">> the problem with OpenLDAP 2.4.28. I have since compiled SASL 2.1.25 and</FONT>
<FONT COLOR="#000000">> confirmed the problem using the sample client and sample server.</FONT>
<FONT COLOR="#000000">We have a local patch that we apply to try to keep replay caches (well,</FONT>
<FONT COLOR="#000000">anything libkrb5 creates) labeled correctly for SELinux. Up through</FONT>
<FONT COLOR="#000000">6.2, the patch didn't cover the case of replay caches when they were</FONT>
<FONT COLOR="#000000">being flushed, and we fixed that for 6.3. It turned out that fixing</FONT>
<FONT COLOR="#000000">that came with a pretty big speed hit. We're tracking this as #845125</FONT>
<FONT COLOR="#000000">and #846472 in our bugzilla [1] and are working on an update.</FONT>
<FONT COLOR="#000000">HTH,</FONT>
<FONT COLOR="#000000">Nalin</FONT>
<FONT COLOR="#000000">[1] <A HREF="http://bugzilla.redhat.com/845125">http://bugzilla.redhat.com/845125</A>, <A HREF="http://bugzilla.redhat.com/846472">http://bugzilla.redhat.com/846472</A></FONT>
</PRE>
</BLOCKQUOTE>
</BODY>
</HTML>