SELinux Parallel Autorelabel
Summary
SELinux autorelabel - after fixfiles onboot or after a system is switched from SELinux disabled to SELinux enabled mode - will be run in parallel by default.
Owner
- Name: Petr Lautrbach
- Email: plautrba@redhat.com
Current status
- Targeted release: Fedora Linux 37
- Last updated: 2022-07-15
- FESCo issue: <will be assigned by the Wrangler>
- Tracker bug: <will be assigned by the Wrangler>
- Release notes tracker: <will be assigned by the Wrangler>
Detailed Description
SELinux tools restorecon and fixfiles are able to run in parallel using more than one thread. Both supports '-T nthreads' options which can be used also in automatic relabel after reboot when a system was switched from disabled mode to enabled, or when an administrator used fixfiles onboot command.
Feedback
Benefit to Fedora
Faster reboot after switch back to SELinux enabled system
Scope
- Proposal owners:
- Update selinux-*.service to drop '-T nthread' into /.autorelabel
- Other developers:
- Release engineering: #Releng issue number
- Policies and guidelines: N/A (not needed for this Change)
- Trademark approval: N/A (not needed for this Change)
- Alignment with Objectives:
Upgrade/compatibility impact
How To Test
1. boot with SELinux disabled - add selinux=0 to kernel command line 2. check /.autorebale 3. compare times for reboot after 1.,2. and if you put '-T 1' into /.autorelabel
User Experience
Systems should be sooner available for work after autorelabel
Dependencies
Contingency Plan
- Contingency mechanism: (What to do? Who will do it?) N/A (not a System Wide Change)
- Contingency deadline: N/A (not a System Wide Change)
- Blocks release? N/A (not a System Wide Change), Yes/No
Documentation
N/A (not a System Wide Change)