On Fri, Jul 15, 2022 at 05:42:35PM -0400, Ben Cotton wrote: > https://fedoraproject.org/wiki/Changes/SELinux_Parallel_Autorelabel > > This document represents a proposed Change. As part of the Changes > process, proposals are publicly announced in order to receive > community feedback. This proposal will only be implemented if approved > by the Fedora Engineering Steering Committee. > > > == Summary == > After a system's SELinux mode is switched from disabled to enabled, or > after an administrator runs `fixfiles onboot`, SELinux autorelabel > will be run in parallel by default. > > == Owner == > * Name: [[User:plautrba| Petr Lautrbach]] > * Email: plaut...@redhat.com > > > == Detailed Description == > SELinux tools `restorecon` and `fixfiles` recently gained the ability > to relabel files in parallel using the `-T nthreads` option. This > option is currently not used in the automatic relabel after reboot. > When users want/need the parallel relabeling they have to specify the > option explicitly (e.g. `fixfiles -T 0 onboot`). With this change `-T > 0` (0 == use all available CPU cores) will be the default for > `fixfiles onboot` and users will have to use `fixfiles -T 1 onboot` to > force it to use only one thread. > > The rationale is that when autorelabel runs, there are no other > resource-intensive processes running on the system, so it's fine (and > actually better) to use all available parallelism to speed up the task > and get to a fully booted system faster. > > > == Benefit to Fedora == > Faster reboot after switching back to an SELinux enabled system or > when triggering autorelabel explicitly. [...] > == Upgrade/compatibility impact == > > > == How To Test == > # boot with SELinux disabled - add `selinux=0` to the kernel command line > # reboot > # store the time it took > # run `fixfiles -T 1 onboot` > # reboot > # the latter reboot should take longer time [...]
I wonder if we can use this in virt tools & virt-v2v: https://github.com/libguestfs/libguestfs/blob/master/daemon/selinux-relabel.c We actually use setfiles instead of fixfiles. setfiles appears to have no -T option unfortunately. Is there a reason why setfiles doesn't have / need this option? Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones Read my programming and virtualization blog: http://rwmj.wordpress.com virt-top is 'top' for virtual machines. Tiny program with many powerful monitoring features, net stats, disk stats, logging, etc. http://people.redhat.com/~rjones/virt-top _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
