On Tue, Jul 19, 2022 at 9:21 PM Richard W.M. Jones <rjones@xxxxxxxxxx> wrote: > On Fri, Jul 15, 2022 at 05:42:35PM -0400, Ben Cotton wrote: > > https://fedoraproject.org/wiki/Changes/SELinux_Parallel_Autorelabel > > > > This document represents a proposed Change. As part of the Changes > > process, proposals are publicly announced in order to receive > > community feedback. This proposal will only be implemented if approved > > by the Fedora Engineering Steering Committee. > > > > > > == Summary == > > After a system's SELinux mode is switched from disabled to enabled, or > > after an administrator runs `fixfiles onboot`, SELinux autorelabel > > will be run in parallel by default. > > > > == Owner == > > * Name: [[User:plautrba| Petr Lautrbach]] > > * Email: plautrba@xxxxxxxxxx > > > > > > == Detailed Description == > > SELinux tools `restorecon` and `fixfiles` recently gained the ability > > to relabel files in parallel using the `-T nthreads` option. This > > option is currently not used in the automatic relabel after reboot. > > When users want/need the parallel relabeling they have to specify the > > option explicitly (e.g. `fixfiles -T 0 onboot`). With this change `-T > > 0` (0 == use all available CPU cores) will be the default for > > `fixfiles onboot` and users will have to use `fixfiles -T 1 onboot` to > > force it to use only one thread. > > > > The rationale is that when autorelabel runs, there are no other > > resource-intensive processes running on the system, so it's fine (and > > actually better) to use all available parallelism to speed up the task > > and get to a fully booted system faster. > > > > > > == Benefit to Fedora == > > Faster reboot after switching back to an SELinux enabled system or > > when triggering autorelabel explicitly. > [...] > > == Upgrade/compatibility impact == > > > > > > == How To Test == > > # boot with SELinux disabled - add `selinux=0` to the kernel command line > > # reboot > > # store the time it took > > # run `fixfiles -T 1 onboot` > > # reboot > > # the latter reboot should take longer time > [...] > > I wonder if we can use this in virt tools & virt-v2v: > > https://github.com/libguestfs/libguestfs/blob/master/daemon/selinux-relabel.c > > We actually use setfiles instead of fixfiles. setfiles appears to > have no -T option unfortunately. Is there a reason why setfiles > doesn't have / need this option? Both setfiles and restorecon also have the -T option, as long as you are running a recent enough Fedora (36+, AFAIK). -- Ondrej Mosnacek Senior Software Engineer, Linux Security - SELinux kernel Red Hat, Inc. _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
