On Thu, May 29, 2025 at 6:16 AM Richard W.M. Jones <rjo...@redhat.com> wrote: > > [This is a general moan / observation ... Sorry!] > > SELinux policy is sometimes now split so that packages can carry their > own policy subpackage. Examples include: > > https://src.fedoraproject.org/rpms/passt/blob/rawhide/f/passt.spec#_36 > https://src.fedoraproject.org/rpms/nbdkit/blob/rawhide/f/nbdkit.spec#_751 > > I've recently been installing a lot of VMs with virt-v2v, and of the > approximately 3 minutes spent installing the required packages, I'd > estimate that around 2 minutes is spent running the *-selinux > post-install scripts for swtpm-seinux, passt-selinux and > nbdkit-selinux. For some reason passt-selinux is particularly > excessive (I eyeballed it at around 75 seconds). > > I wonder if there's a way we could have RPM rebuild the SELinux policy > just once in this situation? And asking another level of "why", why > is rebuilding the policy so slow in the first place? >
The problem is that policy modules can depend on each other, and since policy modules can add things both to the global store and to the pool of stuff other modules can use, it has to be processed serially. This is why the historical policy was that everything needs to go into selinux-policy itself. SELinux as a system isn't designed for modular policies, as it's a system for centralized overlord-style control. There is definitely some stupid stuff still, though: like selinux-policy having a vendored copy of container-selinux and the container tools still requiring their own container-selinux package anyway. It should be one way or another, not both because it creates install and upgrade problems occasionally (in addition to the slow performance issue). Another issue is that we don't have a good way to do selective relabeling based on the module being installed, and while the SELinux tools support multi-threaded operations, it's not the default and none of the macros use it. And from an image builder perspective, there are also issues with SELinux tools being very hard to use to set up policies offline as well. -- 真実はいつも一つ!/ Always, there's only one truth! -- _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
