Re: F37 proposal: SELinux Parallel Autorelabel (Self-Contained Change proposal)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Jul 19, 2022 at 10:11:05PM +0200, Ondrej Mosnacek wrote:
> On Tue, Jul 19, 2022 at 9:21 PM Richard W.M. Jones <rjones@xxxxxxxxxx> wrote:
> > On Fri, Jul 15, 2022 at 05:42:35PM -0400, Ben Cotton wrote:
> > > https://fedoraproject.org/wiki/Changes/SELinux_Parallel_Autorelabel
> > >
> > > This document represents a proposed Change. As part of the Changes
> > > process, proposals are publicly announced in order to receive
> > > community feedback. This proposal will only be implemented if approved
> > > by the Fedora Engineering Steering Committee.
> > >
> > >
> > > == Summary ==
> > > After a system's SELinux mode is switched from disabled to enabled, or
> > > after an administrator runs `fixfiles onboot`, SELinux autorelabel
> > > will be run in parallel by default.
> > >
> > > == Owner ==
> > > * Name: [[User:plautrba| Petr Lautrbach]]
> > > * Email: plautrba@xxxxxxxxxx
> > >
> > >
> > > == Detailed Description ==
> > > SELinux tools `restorecon` and `fixfiles` recently gained the ability
> > > to relabel files in parallel using the `-T nthreads` option. This
> > > option is currently not used in the automatic relabel after reboot.
> > > When users want/need the parallel relabeling they have to specify the
> > > option explicitly (e.g. `fixfiles -T 0 onboot`). With this change `-T
> > > 0` (0 == use all available CPU cores) will be the default for
> > > `fixfiles onboot` and users will have to use `fixfiles -T 1 onboot` to
> > > force it to use only one thread.
> > >
> > > The rationale is that when autorelabel runs, there are no other
> > > resource-intensive processes running on the system, so it's fine (and
> > > actually better) to use all available parallelism to speed up the task
> > > and get to a fully booted system faster.
> > >
> > >
> > > == Benefit to Fedora ==
> > > Faster reboot after switching back to an SELinux enabled system or
> > > when triggering autorelabel explicitly.
> > [...]
> > > == Upgrade/compatibility impact ==
> > >
> > >
> > > == How To Test ==
> > > # boot with SELinux disabled - add `selinux=0` to the kernel command line
> > > # reboot
> > > # store the time it took
> > > # run `fixfiles -T 1 onboot`
> > > # reboot
> > > # the latter reboot should take longer time
> > [...]
> >
> > I wonder if we can use this in virt tools & virt-v2v:
> >
> > https://github.com/libguestfs/libguestfs/blob/master/daemon/selinux-relabel.c
> >
> > We actually use setfiles instead of fixfiles.  setfiles appears to
> > have no -T option unfortunately.  Is there a reason why setfiles
> > doesn't have / need this option?
> 
> Both setfiles and restorecon also have the -T option, as long as you
> are running a recent enough Fedora (36+, AFAIK).

Yes, indeed it does - I missed it in the man page.

Rich.

-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
nbdkit - Flexible, fast NBD server with plugins
https://gitlab.com/nbdkit/nbdkit
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux