From Fedora Project Wiki

Revision as of 16:26, 2 August 2022 by Bcotton (talk | contribs) (Change approved by FESCo)

SELinux Parallel Autorelabel

Summary

After a system's SELinux mode is switched from disabled to enabled, or after an administrator runs fixfiles onboot, SELinux autorelabel will be run in parallel by default.

Owner


Current status

  • Targeted release: Fedora Linux 37
  • Last updated: 2022-08-02
  • devel thread
  • FESCo issue: #2841
  • Tracker bug: <will be assigned by the Wrangler>
  • Release notes tracker: <will be assigned by the Wrangler>

Detailed Description

SELinux tools restorecon and fixfiles recently gained the ability to relabel files in parallel using the -T nthreads option. This option is currently not used in the automatic relabel after reboot. When users want/need the parallel relabeling they have to specify the option explicitly (e.g. fixfiles -T 0 onboot). With this change -T 0 (0 == use all available CPU cores) will be the default for fixfiles onboot and users will have to use fixfiles -T 1 onboot to force it to use only one thread.

The rationale is that when autorelabel runs, there are no other resource-intensive processes running on the system, so it's fine (and actually better) to use all available parallelism to speed up the task and get to a fully booted system faster.

Feedback

Benefit to Fedora

Faster reboot after switching back to an SELinux enabled system or when triggering autorelabel explicitly. The relabelling time can be reduced up to ~18 times, depending on the number of cores (the upper limit for the speed-up is the number of cores, naturally). To get an idea of the scaling see the upstream commit message introducing the parallel relabelling support.

Scope

  • Proposal owners:
    • Update /usr/libexec/selinux/selinux-autorelabel to use -T 0 by default.
  • Other developers:
  • Policies and guidelines: N/A (not needed for this Change)
  • Trademark approval: N/A (not needed for this Change)
  • Alignment with Objectives:

Upgrade/compatibility impact

How To Test

  1. boot with SELinux disabled - add selinux=0 to the kernel command line
  2. reboot
  3. store the time it took
  4. run fixfiles -T 1 onboot
  5. reboot
  6. the latter reboot should take longer time


User Experience

Systems should be up and running faster after SELinux autorelabel.

Dependencies

Contingency Plan

  • Contingency mechanism: (What to do? Who will do it?) N/A (not a System Wide Change)
  • Contingency deadline: N/A (not a System Wide Change)
  • Blocks release? N/A (not a System Wide Change), Yes/No


Documentation

N/A (not a System Wide Change)

Release Notes