SELinux Parallel Autorelabel

Summary

SELinux autorelabel - after a system was switched SELinux mode from disabled to enabled, or after an administrator ran fixfiles onboot - will be run in parallel by default.

Owner

• Name: Petr Lautrbach
• Email: plautrba@redhat.com

Current status

• Targeted release: Fedora Linux 37
• Last updated: 2022-07-15
• FESCo issue: <will be assigned by the Wrangler>
• Tracker bug: <will be assigned by the Wrangler>
• Release notes tracker: <will be assigned by the Wrangler>

Detailed Description

SELinux tools restorecon and fixfiles are able to relabel a filesystem in parallel using -T nthreads option. This option is currently not used in the automatic relabel after reboot. When users want/need the parallel relabeling they have to use fixfiles -T 0 onboot on their own. With this change -T 0 will be default for and users will have to use fixfiles -T 1 onboot to use only one thread.

Feedback

Benefit to Fedora

Faster reboot after switch back to SELinux enabled system

Scope

• Proposal owners:
  • Update /usr/libexec/selinux/selinux-autorelabel to use '-T 0' by default.

• Other developers:

• Release engineering: #Releng issue number

• Policies and guidelines: N/A (not needed for this Change)

• Trademark approval: N/A (not needed for this Change)

• Alignment with Objectives:

Upgrade/compatibility impact

How To Test

1. boot with SELinux disabled - add selinux=0 to the kernel command line
2. reboot
3. store the time it took
4. run fixfiles -T 1 onboot
5. reboot
6. the latter reboot should take longer time

User Experience

Systems should be sooner available for work after SELinux autorelabel.

Dependencies

Contingency Plan

• Contingency mechanism: (What to do? Who will do it?) N/A (not a System Wide Change)
• Contingency deadline: N/A (not a System Wide Change)
• Blocks release? N/A (not a System Wide Change), Yes/No

Documentation

N/A (not a System Wide Change)

Release Notes