< Changes
mNo edit summary |
mNo edit summary |
||
| Line 3: | Line 3: | ||
== Summary == | == Summary == | ||
<!-- A sentence or two summarizing what this change is and what it will do. This information is used for the overall changeset summary page for each release. Note that motivation for the change should be in the Benefit to Fedora section below, and this part should answer the question "What?" rather than "Why?". --> | <!-- A sentence or two summarizing what this change is and what it will do. This information is used for the overall changeset summary page for each release. Note that motivation for the change should be in the Benefit to Fedora section below, and this part should answer the question "What?" rather than "Why?". --> | ||
SELinux autorelabel - after `fixfiles onboot` or after a system is switched from SELinux disabled to SELinux enabled mode - will be run in parallel by default. | |||
== Owner == | == Owner == | ||
| Line 43: | Line 43: | ||
== Detailed Description == | == Detailed Description == | ||
<!-- Expand on the summary, if appropriate. A couple sentences suffices to explain the goal, but the more details you can provide the better. --> | <!-- Expand on the summary, if appropriate. A couple sentences suffices to explain the goal, but the more details you can provide the better. --> | ||
restorecon and fixfiles | SELinux tools `restorecon` and `fixfiles` are able to run in parallel using more than one thread. Both supports '-T nthreads' options which can be used also in automatic relabel after reboot when a system was switched from disabled mode to enabled, or when an administrator used `fixfiles onboot` command. | ||
== Feedback == | == Feedback == | ||
Revision as of 06:59, 15 July 2022
SELinux Parallel Autorelabel
Summary
SELinux autorelabel - after fixfiles onboot or after a system is switched from SELinux disabled to SELinux enabled mode - will be run in parallel by default.
Owner
- Name: Petr Lautrbach
- Email: plautrba@redhat.com
Current status
- Targeted release: Fedora Linux 37
- Last updated: 2022-07-15
- FESCo issue: <will be assigned by the Wrangler>
- Tracker bug: <will be assigned by the Wrangler>
- Release notes tracker: <will be assigned by the Wrangler>
Detailed Description
SELinux tools restorecon and fixfiles are able to run in parallel using more than one thread. Both supports '-T nthreads' options which can be used also in automatic relabel after reboot when a system was switched from disabled mode to enabled, or when an administrator used fixfiles onboot command.
Feedback
Benefit to Fedora
Faster reboot after switch back to SELinux enabled system
Scope
- Proposal owners:
- Update selinux-*.service to drop '-T nthread' into /.autorelabel
- Other developers:
- Release engineering: #Releng issue number
- Policies and guidelines: N/A (not needed for this Change)
- Trademark approval: N/A (not needed for this Change)
- Alignment with Objectives:
Upgrade/compatibility impact
How To Test
1. boot with SELinux disabled - add selinux=0 to kernel command line 2. check /.autorebale 3. compare times for reboot after 1.,2. and if you put '-T 1' into /.autorelabel
User Experience
Systems should be sooner available for work after autorelabel
Dependencies
Contingency Plan
- Contingency mechanism: (What to do? Who will do it?) N/A (not a System Wide Change)
- Contingency deadline: N/A (not a System Wide Change)
- Blocks release? N/A (not a System Wide Change), Yes/No
Documentation
N/A (not a System Wide Change)