SASL slow when selinux enabled
Nalin Dahyabhai
nalin at redhat.com
Mon Sep 10 21:45:36 EDT 2012
On Mon, Sep 10, 2012 at 05:44:58PM -0600, Matthew B. Brookover wrote:
> It seems that sasl_server_start() takes 0.17 seconds to run with selinux
> is disabled and takes 1.28 seconds to run when selinux is enabled.
[snip]
> Some more details, the test system is running CentOS 6.3, which came
> with Cyrus SASL 2.1.23 and MIT Kerberos 1.9 libraries. I first noticed
> the problem with OpenLDAP 2.4.28. I have since compiled SASL 2.1.25 and
> confirmed the problem using the sample client and sample server.
We have a local patch that we apply to try to keep replay caches (well,
anything libkrb5 creates) labeled correctly for SELinux. Up through
6.2, the patch didn't cover the case of replay caches when they were
being flushed, and we fixed that for 6.3. It turned out that fixing
that came with a pretty big speed hit. We're tracking this as #845125
and #846472 in our bugzilla [1] and are working on an update.
HTH,
Nalin
[1] http://bugzilla.redhat.com/845125, http://bugzilla.redhat.com/846472
More information about the Cyrus-sasl
mailing list