https://fedoraproject.org/wiki/Changes/SELinux_Parallel_Autorelabel
This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee. == Summary == After a system's SELinux mode is switched from disabled to enabled, or after an administrator runs `fixfiles onboot`, SELinux autorelabel will be run in parallel by default. == Owner == * Name: [[User:plautrba| Petr Lautrbach]] * Email: plaut...@redhat.com == Detailed Description == SELinux tools `restorecon` and `fixfiles` recently gained the ability to relabel files in parallel using the `-T nthreads` option. This option is currently not used in the automatic relabel after reboot. When users want/need the parallel relabeling they have to specify the option explicitly (e.g. `fixfiles -T 0 onboot`). With this change `-T 0` (0 == use all available CPU cores) will be the default for `fixfiles onboot` and users will have to use `fixfiles -T 1 onboot` to force it to use only one thread. The rationale is that when autorelabel runs, there are no other resource-intensive processes running on the system, so it's fine (and actually better) to use all available parallelism to speed up the task and get to a fully booted system faster. == Benefit to Fedora == Faster reboot after switching back to an SELinux enabled system or when triggering autorelabel explicitly. == Scope == * Proposal owners: ** Update `/usr/libexec/selinux/selinux-autorelabel` to use `-T 0` by default. * Other developers: * Release engineering: * Policies and guidelines: N/A (not needed for this Change) * Trademark approval: N/A (not needed for this Change) * Alignment with Objectives: == Upgrade/compatibility impact == == How To Test == # boot with SELinux disabled - add `selinux=0` to the kernel command line # reboot # store the time it took # run `fixfiles -T 1 onboot` # reboot # the latter reboot should take longer time == User Experience == Systems should be up and running faster after SELinux autorelabel. == Dependencies == == Contingency Plan == * Contingency mechanism: (What to do? Who will do it?) N/A (not a System Wide Change) * Contingency deadline: N/A (not a System Wide Change) * Blocks release? N/A (not a System Wide Change), Yes/No == Documentation == N/A (not a System Wide Change) -- Ben Cotton He / Him / His Fedora Program Manager Red Hat TZ=America/Indiana/Indianapolis _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
