From Fedora Project Wiki
< Changes
No edit summary |
No edit summary |
||
| Line 80: | Line 80: | ||
== Scope == | == Scope == | ||
* Proposal owners: | * Proposal owners: | ||
** Update selinux- | ** Update `/usr/libexec/selinux/selinux-autorelabel` to use '-T 0' by default. | ||
<!-- What work do the feature owners have to accomplish to complete the feature in time for release? Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?--> | <!-- What work do the feature owners have to accomplish to complete the feature in time for release? Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?--> | ||
| Line 120: | Line 119: | ||
3. What are the expected results of those actions? | 3. What are the expected results of those actions? | ||
--> | --> | ||
# boot with SELinux disabled - add selinux=0 to kernel command line | |||
# reboot | |||
# store the time it took | |||
# run `fixfiles -T 1 onboot` | |||
# reboot | |||
# the latter reboot should take longer time | |||
<!-- REQUIRED FOR SYSTEM WIDE CHANGES --> | <!-- REQUIRED FOR SYSTEM WIDE CHANGES --> | ||
| Line 139: | Line 141: | ||
--> | --> | ||
Systems should be sooner available for work after autorelabel | Systems should be sooner available for work after SELinux autorelabel. | ||
== Dependencies == | == Dependencies == | ||
Revision as of 08:41, 15 July 2022
SELinux Parallel Autorelabel
Summary
SELinux autorelabel - after a system was switched SELinux mode from disabled to enabled, or after an administrator ran fixfiles onboot - will be run in parallel by default.
Owner
- Name: Petr Lautrbach
- Email: plautrba@redhat.com
Current status
- Targeted release: Fedora Linux 37
- Last updated: 2022-07-15
- FESCo issue: <will be assigned by the Wrangler>
- Tracker bug: <will be assigned by the Wrangler>
- Release notes tracker: <will be assigned by the Wrangler>
Detailed Description
SELinux tools restorecon and fixfiles are able to relabel a filesystem in parallel using -T nthreads option. This option is currently not used in the automatic relabel after reboot. When users want/need the parallel relabeling they have to use fixfiles -T 0 onboot on their own. With this change -T 0 will be default for and users will have to use fixfiles -T 1 onboot to use only one thread.
Feedback
Benefit to Fedora
Faster reboot after switch back to SELinux enabled system
Scope
- Proposal owners:
- Update
/usr/libexec/selinux/selinux-autorelabelto use '-T 0' by default.
- Update
- Other developers:
- Release engineering: #Releng issue number
- Policies and guidelines: N/A (not needed for this Change)
- Trademark approval: N/A (not needed for this Change)
- Alignment with Objectives:
Upgrade/compatibility impact
How To Test
- boot with SELinux disabled - add selinux=0 to kernel command line
- reboot
- store the time it took
- run
fixfiles -T 1 onboot - reboot
- the latter reboot should take longer time
User Experience
Systems should be sooner available for work after SELinux autorelabel.
Dependencies
Contingency Plan
- Contingency mechanism: (What to do? Who will do it?) N/A (not a System Wide Change)
- Contingency deadline: N/A (not a System Wide Change)
- Blocks release? N/A (not a System Wide Change), Yes/No
Documentation
N/A (not a System Wide Change)