mNo edit summary |
No edit summary |
||
| Line 3: | Line 3: | ||
== Summary == | == Summary == | ||
<!-- A sentence or two summarizing what this change is and what it will do. This information is used for the overall changeset summary page for each release. Note that motivation for the change should be in the Benefit to Fedora section below, and this part should answer the question "What?" rather than "Why?". --> | <!-- A sentence or two summarizing what this change is and what it will do. This information is used for the overall changeset summary page for each release. Note that motivation for the change should be in the Benefit to Fedora section below, and this part should answer the question "What?" rather than "Why?". --> | ||
SELinux autorelabel - | SELinux autorelabel - after a system was switched SELinux mode from disabled to enabled, or after an administrator ran `fixfiles onboot` - will be run in parallel by default. | ||
== Owner == | == Owner == | ||
| Line 43: | Line 43: | ||
== Detailed Description == | == Detailed Description == | ||
<!-- Expand on the summary, if appropriate. A couple sentences suffices to explain the goal, but the more details you can provide the better. --> | <!-- Expand on the summary, if appropriate. A couple sentences suffices to explain the goal, but the more details you can provide the better. --> | ||
SELinux tools `restorecon` and `fixfiles` are able to | SELinux tools `restorecon` and `fixfiles` are able to relabel a filesystem in parallel using `-T nthreads` option. This option is currently not used in the automatic relabel after reboot. When users want/need the parallel relabeling they have to use `fixfiles -T 0 onboot` on their own. With this change `-T 0` will be default for and users will have to use `fixfiles -T 1 onboot` to use only one thread. | ||
== Feedback == | == Feedback == | ||
Revision as of 07:41, 15 July 2022
SELinux Parallel Autorelabel
Summary
SELinux autorelabel - after a system was switched SELinux mode from disabled to enabled, or after an administrator ran fixfiles onboot - will be run in parallel by default.
Owner
- Name: Petr Lautrbach
- Email: plautrba@redhat.com
Current status
- Targeted release: Fedora Linux 37
- Last updated: 2022-07-15
- FESCo issue: <will be assigned by the Wrangler>
- Tracker bug: <will be assigned by the Wrangler>
- Release notes tracker: <will be assigned by the Wrangler>
Detailed Description
SELinux tools restorecon and fixfiles are able to relabel a filesystem in parallel using -T nthreads option. This option is currently not used in the automatic relabel after reboot. When users want/need the parallel relabeling they have to use fixfiles -T 0 onboot on their own. With this change -T 0 will be default for and users will have to use fixfiles -T 1 onboot to use only one thread.
Feedback
Benefit to Fedora
Faster reboot after switch back to SELinux enabled system
Scope
- Proposal owners:
- Update selinux-*.service to drop '-T nthread' into /.autorelabel
- Other developers:
- Release engineering: #Releng issue number
- Policies and guidelines: N/A (not needed for this Change)
- Trademark approval: N/A (not needed for this Change)
- Alignment with Objectives:
Upgrade/compatibility impact
How To Test
1. boot with SELinux disabled - add selinux=0 to kernel command line 2. check /.autorebale 3. compare times for reboot after 1.,2. and if you put '-T 1' into /.autorelabel
User Experience
Systems should be sooner available for work after autorelabel
Dependencies
Contingency Plan
- Contingency mechanism: (What to do? Who will do it?) N/A (not a System Wide Change)
- Contingency deadline: N/A (not a System Wide Change)
- Blocks release? N/A (not a System Wide Change), Yes/No
Documentation
N/A (not a System Wide Change)