Learn more about these different git repos.
Other Git URLs
When processing SELinux rules, we always download all enabled rules, then filter out those that apply to the user who is logging in and then only save those that matched into the sysdb.
However, we never delete any rules, which means that a rule that is deleted or disabled on the server is left in the cache forever.
Given that we download all the rules anyway, I think we might as well delete and then save all rules into the sysdb on every login and then filter them out when processing the rules.
Are there any performance implication of getting all rules every time?
This needs to be fixed in beta5 due today.
owner: somebody => jhrozek
patch: 0 => 1
status: new => assigned
We are already downloading all the rules from the server every time, the difference is that in the current master, we only save rules that apply to the current user to sysdb. However, in order to do so, we were contacting the server again to resolve seeAlso attributes. I think that saving all the rules every time would actually be faster, because we wouldn't perform the second resolution.
I think we could implement something similar to ipa_hbac_refresh so that SELinux rules are not downloaded every time if multiple logins happen very closely after one another.
milestone: NEEDS_TRIAGE => SSSD 1.9.0 beta 5
resolution: => fixed
status: assigned => closed
rhbz: => 0
Metadata Update from @jhrozek:
- Issue assigned to jhrozek
- Issue set to the milestone: SSSD 1.9.0 beta 5
to comment on this ticket.