libsemanage: improve performance of semanage store rebuild

Message ID	20250225075555.16136-1-lautrbach@redhat.com (mailing list archive)
State	New
Delegated to:	Petr Lautrbach
Headers	show Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D541425B67D for <selinux@vger.kernel.org>; Tue, 25 Feb 2025 07:56:04 +0000 (UTC) From: Petr Lautrbach <lautrbach@redhat.com> To: selinux@vger.kernel.org Cc: Petr Lautrbach <lautrbach@redhat.com> Subject: [PATCH] libsemanage: improve performance of semanage store rebuild Date: Tue, 25 Feb 2025 08:55:23 +0100 Message-ID: <20250225075555.16136-1-lautrbach@redhat.com> Precedence: bulk MIME-Version: 1.0 Content-type: text/plain Content-Transfer-Encoding: 8bit
Series	libsemanage: improve performance of semanage store rebuild \| expand libsemanage: improve performance of semanage store rebuild

Message ID

20250225075555.16136-1-lautrbach@redhat.com (mailing list archive)

State

New

Delegated to:

Petr Lautrbach

Headers

From: Petr Lautrbach <lautrbach@redhat.com>
To: selinux@vger.kernel.org
Cc: Petr Lautrbach <lautrbach@redhat.com>
Subject: [PATCH] libsemanage: improve performance of semanage store rebuild
Date: Tue, 25 Feb 2025 08:55:23 +0100
Message-ID: <20250225075555.16136-1-lautrbach@redhat.com>
Precedence: bulk
MIME-Version: 1.0
Content-type: text/plain
Content-Transfer-Encoding: 8bit

Series

libsemanage: improve performance of semanage store rebuild | expand

Commit Message

Petr Lautrbach Feb. 25, 2025, 7:55 a.m. UTC

Commit 9d107ab77ba4 ("libsemanage: Set new restorecon handle before doing restorecon
") added reopeniong selabel handle every time semanage_setfiles() is
called. It means that during `semodule -B`, `selabel_close()` and
`selabel_open()` could be called more than 1800x what could have a
significant performance impact.

It should be enough to reopen selabel handle just after semanage commit
when changes are applied.

Before 9d107ab77ba4:
    semodule -B  5.84s user 0.52s system 96% cpu 6.585 total

After 9d107ab77ba4:
    semodule -B  11.15s user 0.64s system 98% cpu 11.952 total

With this patch:
    semodule -B  5.51s user 0.41s system 98% cpu 6.014 total

Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
---
 libsemanage/src/semanage_store.c | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

Comments

Jason Zaman Feb. 26, 2025, 4:27 p.m. UTC | #1

On Tue, Feb 25, 2025 at 08:55:23AM +0100, Petr Lautrbach wrote:
> Commit 9d107ab77ba4 ("libsemanage: Set new restorecon handle before doing restorecon
> ") added reopeniong selabel handle every time semanage_setfiles() is
> called. It means that during `semodule -B`, `selabel_close()` and
> `selabel_open()` could be called more than 1800x what could have a
> significant performance impact.
> 
> It should be enough to reopen selabel handle just after semanage commit
> when changes are applied.
> 
> Before 9d107ab77ba4:
>     semodule -B  5.84s user 0.52s system 96% cpu 6.585 total
> 
> After 9d107ab77ba4:
>     semodule -B  11.15s user 0.64s system 98% cpu 11.952 total
> 
> With this patch:
>     semodule -B  5.51s user 0.41s system 98% cpu 6.014 total
> 
> Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
Acked-by: Jason Zaman <jason@perfinion.com>

> ---
>  libsemanage/src/semanage_store.c | 7 +++----
>  1 file changed, 3 insertions(+), 4 deletions(-)
> 
> diff --git a/libsemanage/src/semanage_store.c b/libsemanage/src/semanage_store.c
> index cf9aa809b7f8..307f27f9838b 100644
> --- a/libsemanage/src/semanage_store.c
> +++ b/libsemanage/src/semanage_store.c
> @@ -1712,6 +1712,7 @@ static int semanage_commit_sandbox(semanage_handle_t * sh)
>  	    semanage_path(SEMANAGE_PREVIOUS, SEMANAGE_TOPLEVEL);
>  	const char *sandbox = semanage_path(SEMANAGE_TMP, SEMANAGE_TOPLEVEL);
>  	struct stat buf;
> +	struct selabel_handle *sehandle;
>  
>  	/* update the commit number */
>  	if ((commit_number = semanage_direct_get_serial(sh)) < 0) {
> @@ -1822,6 +1823,8 @@ static int semanage_commit_sandbox(semanage_handle_t * sh)
>  
>        cleanup:
>  	semanage_release_active_lock(sh);
> +	sehandle = selinux_restorecon_default_handle();
> +	selinux_restorecon_set_sehandle(sehandle);
>  	return retval;
>  }
>  
> @@ -3012,14 +3015,10 @@ log_callback_mute(__attribute__((unused)) int type, __attribute__((unused)) cons
>  void semanage_setfiles(semanage_handle_t * sh, const char *path){
>  	struct stat sb;
>  	int fd;
> -	struct selabel_handle *sehandle;
>  
>  	union selinux_callback cb_orig = selinux_get_callback(SELINUX_CB_LOG);
>  	union selinux_callback cb = { .func_log = log_callback_mute };
>  
> -	sehandle = selinux_restorecon_default_handle();
> -	selinux_restorecon_set_sehandle(sehandle);
> -
>  	/* Mute all logs */
>  	selinux_set_callback(SELINUX_CB_LOG, cb);
>  
> -- 
> 2.48.1
> 
>

Petr Lautrbach March 3, 2025, 6:06 p.m. UTC | #2

Jason Zaman <jason@perfinion.com> writes:

> On Tue, Feb 25, 2025 at 08:55:23AM +0100, Petr Lautrbach wrote:
>> Commit 9d107ab77ba4 ("libsemanage: Set new restorecon handle before doing restorecon
>> ") added reopeniong selabel handle every time semanage_setfiles() is
>> called. It means that during `semodule -B`, `selabel_close()` and
>> `selabel_open()` could be called more than 1800x what could have a
>> significant performance impact.
>> 
>> It should be enough to reopen selabel handle just after semanage commit
>> when changes are applied.
>> 
>> Before 9d107ab77ba4:
>>     semodule -B  5.84s user 0.52s system 96% cpu 6.585 total
>> 
>> After 9d107ab77ba4:
>>     semodule -B  11.15s user 0.64s system 98% cpu 11.952 total
>> 
>> With this patch:
>>     semodule -B  5.51s user 0.41s system 98% cpu 6.014 total
>> 
>> Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
> Acked-by: Jason Zaman <jason@perfinion.com>

Merged.


>> ---
>>  libsemanage/src/semanage_store.c | 7 +++----
>>  1 file changed, 3 insertions(+), 4 deletions(-)
>> 
>> diff --git a/libsemanage/src/semanage_store.c b/libsemanage/src/semanage_store.c
>> index cf9aa809b7f8..307f27f9838b 100644
>> --- a/libsemanage/src/semanage_store.c
>> +++ b/libsemanage/src/semanage_store.c
>> @@ -1712,6 +1712,7 @@ static int semanage_commit_sandbox(semanage_handle_t * sh)
>>  	    semanage_path(SEMANAGE_PREVIOUS, SEMANAGE_TOPLEVEL);
>>  	const char *sandbox = semanage_path(SEMANAGE_TMP, SEMANAGE_TOPLEVEL);
>>  	struct stat buf;
>> +	struct selabel_handle *sehandle;
>>  
>>  	/* update the commit number */
>>  	if ((commit_number = semanage_direct_get_serial(sh)) < 0) {
>> @@ -1822,6 +1823,8 @@ static int semanage_commit_sandbox(semanage_handle_t * sh)
>>  
>>        cleanup:
>>  	semanage_release_active_lock(sh);
>> +	sehandle = selinux_restorecon_default_handle();
>> +	selinux_restorecon_set_sehandle(sehandle);
>>  	return retval;
>>  }
>>  
>> @@ -3012,14 +3015,10 @@ log_callback_mute(__attribute__((unused)) int type, __attribute__((unused)) cons
>>  void semanage_setfiles(semanage_handle_t * sh, const char *path){
>>  	struct stat sb;
>>  	int fd;
>> -	struct selabel_handle *sehandle;
>>  
>>  	union selinux_callback cb_orig = selinux_get_callback(SELINUX_CB_LOG);
>>  	union selinux_callback cb = { .func_log = log_callback_mute };
>>  
>> -	sehandle = selinux_restorecon_default_handle();
>> -	selinux_restorecon_set_sehandle(sehandle);
>> -
>>  	/* Mute all logs */
>>  	selinux_set_callback(SELINUX_CB_LOG, cb);
>>  
>> -- 
>> 2.48.1
>> 
>>

diff --git a/libsemanage/src/semanage_store.c b/libsemanage/src/semanage_store.c
index cf9aa809b7f8..307f27f9838b 100644
--- a/libsemanage/src/semanage_store.c
+++ b/libsemanage/src/semanage_store.c
@@ -1712,6 +1712,7 @@  static int semanage_commit_sandbox(semanage_handle_t * sh)
 	    semanage_path(SEMANAGE_PREVIOUS, SEMANAGE_TOPLEVEL);
 	const char *sandbox = semanage_path(SEMANAGE_TMP, SEMANAGE_TOPLEVEL);
 	struct stat buf;
+	struct selabel_handle *sehandle;
 
 	/* update the commit number */
 	if ((commit_number = semanage_direct_get_serial(sh)) < 0) {
@@ -1822,6 +1823,8 @@  static int semanage_commit_sandbox(semanage_handle_t * sh)
 
       cleanup:
 	semanage_release_active_lock(sh);
+	sehandle = selinux_restorecon_default_handle();
+	selinux_restorecon_set_sehandle(sehandle);
 	return retval;
 }
 
@@ -3012,14 +3015,10 @@  log_callback_mute(__attribute__((unused)) int type, __attribute__((unused)) cons
 void semanage_setfiles(semanage_handle_t * sh, const char *path){
 	struct stat sb;
 	int fd;
-	struct selabel_handle *sehandle;
 
 	union selinux_callback cb_orig = selinux_get_callback(SELINUX_CB_LOG);
 	union selinux_callback cb = { .func_log = log_callback_mute };
 
-	sehandle = selinux_restorecon_default_handle();
-	selinux_restorecon_set_sehandle(sehandle);
-
 	/* Mute all logs */
 	selinux_set_callback(SELINUX_CB_LOG, cb);

libsemanage: improve performance of semanage store rebuild

Commit Message

Comments

Patch