SASL slow when selinux enabled
Matthew B. Brookover
mbrookov at mines.edu
Tue Sep 11 10:08:45 EDT 2012
Ok, sounds like I could get around this by linking SASL against a
different set of Kerberos libraries and a bit of selinux policy to allow
the cache to work weather or not it is labeled correctly for selinux.
Thanks Nalin
Matt
On Mon, 2012-09-10 at 21:45 -0400, Nalin Dahyabhai wrote:
> On Mon, Sep 10, 2012 at 05:44:58PM -0600, Matthew B. Brookover wrote:
> > It seems that sasl_server_start() takes 0.17 seconds to run with selinux
> > is disabled and takes 1.28 seconds to run when selinux is enabled.
> [snip]
> > Some more details, the test system is running CentOS 6.3, which came
> > with Cyrus SASL 2.1.23 and MIT Kerberos 1.9 libraries. I first noticed
> > the problem with OpenLDAP 2.4.28. I have since compiled SASL 2.1.25 and
> > confirmed the problem using the sample client and sample server.
>
> We have a local patch that we apply to try to keep replay caches (well,
> anything libkrb5 creates) labeled correctly for SELinux. Up through
> 6.2, the patch didn't cover the case of replay caches when they were
> being flushed, and we fixed that for 6.3. It turned out that fixing
> that came with a pretty big speed hit. We're tracking this as #845125
> and #846472 in our bugzilla [1] and are working on an update.
>
> HTH,
>
> Nalin
>
> [1] http://bugzilla.redhat.com/845125, http://bugzilla.redhat.com/846472
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.andrew.cmu.edu/pipermail/cyrus-sasl/attachments/20120911/87cafbce/attachment.html
More information about the Cyrus-sasl
mailing list