SELinux Parallel Autorelabel
Summary
SELinux autorelabel - after a system was switched SELinux mode from disabled to enabled, or after an administrator ran fixfiles onboot - will be run in parallel by default.
Owner
- Name: Petr Lautrbach
- Email: plautrba@redhat.com
Current status
- Targeted release: Fedora Linux 37
- Last updated: 2022-07-15
- FESCo issue: <will be assigned by the Wrangler>
- Tracker bug: <will be assigned by the Wrangler>
- Release notes tracker: <will be assigned by the Wrangler>
Detailed Description
SELinux tools restorecon and fixfiles are able to relabel a filesystem in parallel using -T nthreads option. This option is currently not used in the automatic relabel after reboot. When users want/need the parallel relabeling they have to use fixfiles -T 0 onboot on their own. With this change -T 0 will be default for and users will have to use fixfiles -T 1 onboot to use only one thread.
Feedback
Benefit to Fedora
Faster reboot after switch back to SELinux enabled system
Scope
- Proposal owners:
- Update selinux-*.service to drop '-T nthread' into /.autorelabel
- Other developers:
- Release engineering: #Releng issue number
- Policies and guidelines: N/A (not needed for this Change)
- Trademark approval: N/A (not needed for this Change)
- Alignment with Objectives:
Upgrade/compatibility impact
How To Test
1. boot with SELinux disabled - add selinux=0 to kernel command line 2. check /.autorebale 3. compare times for reboot after 1.,2. and if you put '-T 1' into /.autorelabel
User Experience
Systems should be sooner available for work after autorelabel
Dependencies
Contingency Plan
- Contingency mechanism: (What to do? Who will do it?) N/A (not a System Wide Change)
- Contingency deadline: N/A (not a System Wide Change)
- Blocks release? N/A (not a System Wide Change), Yes/No
Documentation
N/A (not a System Wide Change)