No edit summary |
(Announcing the Change proposal) |
||
| Line 1: | Line 1: | ||
= SELinux Parallel Autorelabel <!-- The name of your change proposal --> = | = SELinux Parallel Autorelabel <!-- The name of your change proposal --> = | ||
{{Change_Proposal_Banner}} | |||
== Summary == | == Summary == | ||
| Line 19: | Line 21: | ||
== Current status == | == Current status == | ||
[[Category: | [[Category:ChangeAnnounced]] | ||
<!-- When your change proposal page is completed and ready for review and announcement --> | <!-- When your change proposal page is completed and ready for review and announcement --> | ||
<!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler --> | <!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler --> | ||
| Line 37: | Line 39: | ||
ON_QA -> change is fully code complete | ON_QA -> change is fully code complete | ||
--> | --> | ||
* [https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/W7CO55STPHPDHT6PEWPQAQXAOZPKOIYD/ devel thread] | |||
* FESCo issue: <will be assigned by the Wrangler> | * FESCo issue: <will be assigned by the Wrangler> | ||
* Tracker bug: <will be assigned by the Wrangler> | * Tracker bug: <will be assigned by the Wrangler> | ||
Revision as of 21:50, 15 July 2022
SELinux Parallel Autorelabel
This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee.
Summary
After a system's SELinux mode is switched from disabled to enabled, or after an administrator runs fixfiles onboot, SELinux autorelabel will be run in parallel by default.
Owner
- Name: Petr Lautrbach
- Email: plautrba@redhat.com
Current status
- Targeted release: Fedora Linux 37
- Last updated: 2022-07-15
- devel thread
- FESCo issue: <will be assigned by the Wrangler>
- Tracker bug: <will be assigned by the Wrangler>
- Release notes tracker: <will be assigned by the Wrangler>
Detailed Description
SELinux tools restorecon and fixfiles recently gained the ability to relabel files in parallel using the -T nthreads option. This option is currently not used in the automatic relabel after reboot. When users want/need the parallel relabeling they have to specify the option explicitly (e.g. fixfiles -T 0 onboot). With this change -T 0 (0 == use all available CPU cores) will be the default for fixfiles onboot and users will have to use fixfiles -T 1 onboot to force it to use only one thread.
The rationale is that when autorelabel runs, there are no other resource-intensive processes running on the system, so it's fine (and actually better) to use all available parallelism to speed up the task and get to a fully booted system faster.
Feedback
Benefit to Fedora
Faster reboot after switching back to an SELinux enabled system or when triggering autorelabel explicitly.
Scope
- Proposal owners:
- Update
/usr/libexec/selinux/selinux-autorelabelto use-T 0by default.
- Update
- Other developers:
- Release engineering: #Releng issue number
- Policies and guidelines: N/A (not needed for this Change)
- Trademark approval: N/A (not needed for this Change)
- Alignment with Objectives:
Upgrade/compatibility impact
How To Test
- boot with SELinux disabled - add
selinux=0to the kernel command line - reboot
- store the time it took
- run
fixfiles -T 1 onboot - reboot
- the latter reboot should take longer time
User Experience
Systems should be up and running faster after SELinux autorelabel.
Dependencies
Contingency Plan
- Contingency mechanism: (What to do? Who will do it?) N/A (not a System Wide Change)
- Contingency deadline: N/A (not a System Wide Change)
- Blocks release? N/A (not a System Wide Change), Yes/No
Documentation
N/A (not a System Wide Change)