On July 15, 2022 9:42:35 PM UTC, Ben Cotton <bcotton@xxxxxxxxxx> wrote: >https://fedoraproject.org/wiki/Changes/SELinux_Parallel_Autorelabel > >This document represents a proposed Change. As part of the Changes >process, proposals are publicly announced in order to receive >community feedback. This proposal will only be implemented if approved >by the Fedora Engineering Steering Committee. > > >== Summary == >After a system's SELinux mode is switched from disabled to enabled, or >after an administrator runs `fixfiles onboot`, SELinux autorelabel >will be run in parallel by default. > >== Owner == >* Name: [[User:plautrba| Petr Lautrbach]] >* Email: plautrba@xxxxxxxxxx > > >== Detailed Description == >SELinux tools `restorecon` and `fixfiles` recently gained the ability >to relabel files in parallel using the `-T nthreads` option. This >option is currently not used in the automatic relabel after reboot. >When users want/need the parallel relabeling they have to specify the >option explicitly (e.g. `fixfiles -T 0 onboot`). With this change `-T >0` (0 == use all available CPU cores) will be the default for >`fixfiles onboot` and users will have to use `fixfiles -T 1 onboot` to >force it to use only one thread. > >The rationale is that when autorelabel runs, there are no other >resource-intensive processes running on the system, so it's fine (and >actually better) to use all available parallelism to speed up the task >and get to a fully booted system faster. > > >== Benefit to Fedora == >Faster reboot after switching back to an SELinux enabled system or >when triggering autorelabel explicitly. Just out of curiosity, how large is the speedup typically? > >== Scope == >* Proposal owners: >** Update `/usr/libexec/selinux/selinux-autorelabel` to use `-T 0` by default. > >* Other developers: >* Release engineering: >* Policies and guidelines: N/A (not needed for this Change) >* Trademark approval: N/A (not needed for this Change) >* Alignment with Objectives: > > >== Upgrade/compatibility impact == > > >== How To Test == ># boot with SELinux disabled - add `selinux=0` to the kernel command line ># reboot ># store the time it took ># run `fixfiles -T 1 onboot` ># reboot ># the latter reboot should take longer time > > >== User Experience == >Systems should be up and running faster after SELinux autorelabel. > >== Dependencies == > > >== Contingency Plan == >* Contingency mechanism: (What to do? Who will do it?) N/A (not a >System Wide Change) >* Contingency deadline: N/A (not a System Wide Change) >* Blocks release? N/A (not a System Wide Change), Yes/No > >== Documentation == > >N/A (not a System Wide Change) > > _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
