From Fedora Project Wiki
< Changes
mNo edit summary |
No edit summary |
||
| Line 3: | Line 3: | ||
== Summary == | == Summary == | ||
<!-- A sentence or two summarizing what this change is and what it will do. This information is used for the overall changeset summary page for each release. Note that motivation for the change should be in the Benefit to Fedora section below, and this part should answer the question "What?" rather than "Why?". --> | <!-- A sentence or two summarizing what this change is and what it will do. This information is used for the overall changeset summary page for each release. Note that motivation for the change should be in the Benefit to Fedora section below, and this part should answer the question "What?" rather than "Why?". --> | ||
After a system's SELinux mode is switched from disabled to enabled, or after an administrator runs `fixfiles onboot`, SELinux autorelabel will be run in parallel by default. | |||
== Owner == | == Owner == | ||
| Line 43: | Line 43: | ||
== Detailed Description == | == Detailed Description == | ||
<!-- Expand on the summary, if appropriate. A couple sentences suffices to explain the goal, but the more details you can provide the better. --> | <!-- Expand on the summary, if appropriate. A couple sentences suffices to explain the goal, but the more details you can provide the better. --> | ||
SELinux tools `restorecon` and `fixfiles` | SELinux tools `restorecon` and `fixfiles` recently gained the ability to relabel files in parallel using the `-T nthreads` option. This option is currently not used in the automatic relabel after reboot. When users want/need the parallel relabeling they have to specify the option explicitly (e.g. `fixfiles -T 0 onboot`). With this change `-T 0` (0 == use all available CPU cores) will be the default for `fixfiles onboot` and users will have to use `fixfiles -T 1 onboot` to force it to use only one thread. | ||
The rationale is that when autorelabel runs, there are no other resource-intensive processes running on the system, so it's fine (and actually better) to use all available parallelism to speed up the task and get to a fully booted system faster. | |||
== Feedback == | == Feedback == | ||
| Line 76: | Line 78: | ||
https://fedoraproject.org/wiki/Changes/perl5.26 (major upgrade to a popular software stack, visible to users of that stack) | https://fedoraproject.org/wiki/Changes/perl5.26 (major upgrade to a popular software stack, visible to users of that stack) | ||
--> | --> | ||
Faster reboot after | Faster reboot after switching back to an SELinux enabled system or when triggering autorelabel explicitly. | ||
== Scope == | == Scope == | ||
* Proposal owners: | * Proposal owners: | ||
** Update `/usr/libexec/selinux/selinux-autorelabel` to use | ** Update `/usr/libexec/selinux/selinux-autorelabel` to use `-T 0` by default. | ||
<!-- What work do the feature owners have to accomplish to complete the feature in time for release? Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?--> | <!-- What work do the feature owners have to accomplish to complete the feature in time for release? Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?--> | ||
| Line 141: | Line 143: | ||
--> | --> | ||
Systems should be | Systems should be up and running faster after SELinux autorelabel. | ||
== Dependencies == | == Dependencies == | ||
Revision as of 09:19, 15 July 2022
SELinux Parallel Autorelabel
Summary
After a system's SELinux mode is switched from disabled to enabled, or after an administrator runs fixfiles onboot, SELinux autorelabel will be run in parallel by default.
Owner
- Name: Petr Lautrbach
- Email: plautrba@redhat.com
Current status
- Targeted release: Fedora Linux 37
- Last updated: 2022-07-15
- FESCo issue: <will be assigned by the Wrangler>
- Tracker bug: <will be assigned by the Wrangler>
- Release notes tracker: <will be assigned by the Wrangler>
Detailed Description
SELinux tools restorecon and fixfiles recently gained the ability to relabel files in parallel using the -T nthreads option. This option is currently not used in the automatic relabel after reboot. When users want/need the parallel relabeling they have to specify the option explicitly (e.g. fixfiles -T 0 onboot). With this change -T 0 (0 == use all available CPU cores) will be the default for fixfiles onboot and users will have to use fixfiles -T 1 onboot to force it to use only one thread.
The rationale is that when autorelabel runs, there are no other resource-intensive processes running on the system, so it's fine (and actually better) to use all available parallelism to speed up the task and get to a fully booted system faster.
Feedback
Benefit to Fedora
Faster reboot after switching back to an SELinux enabled system or when triggering autorelabel explicitly.
Scope
- Proposal owners:
- Update
/usr/libexec/selinux/selinux-autorelabelto use-T 0by default.
- Update
- Other developers:
- Release engineering: #Releng issue number
- Policies and guidelines: N/A (not needed for this Change)
- Trademark approval: N/A (not needed for this Change)
- Alignment with Objectives:
Upgrade/compatibility impact
How To Test
- boot with SELinux disabled - add
selinux=0to the kernel command line - reboot
- store the time it took
- run
fixfiles -T 1 onboot - reboot
- the latter reboot should take longer time
User Experience
Systems should be up and running faster after SELinux autorelabel.
Dependencies
Contingency Plan
- Contingency mechanism: (What to do? Who will do it?) N/A (not a System Wide Change)
- Contingency deadline: N/A (not a System Wide Change)
- Blocks release? N/A (not a System Wide Change), Yes/No
Documentation
N/A (not a System Wide Change)