On Thu, May 29, 2025 at 6:16 AM Richard W.M. Jones <rjo...@redhat.com> wrote:
>
> [This is a general moan / observation ... Sorry!]
>
> SELinux policy is sometimes now split so that packages can carry their
> own policy subpackage.  Examples include:
>
> https://src.fedoraproject.org/rpms/passt/blob/rawhide/f/passt.spec#_36
> https://src.fedoraproject.org/rpms/nbdkit/blob/rawhide/f/nbdkit.spec#_751
>
> I've recently been installing a lot of VMs with virt-v2v, and of the
> approximately 3 minutes spent installing the required packages, I'd
> estimate that around 2 minutes is spent running the *-selinux
> post-install scripts for swtpm-seinux, passt-selinux and
> nbdkit-selinux.  For some reason passt-selinux is particularly
> excessive (I eyeballed it at around 75 seconds).
>
> I wonder if there's a way we could have RPM rebuild the SELinux policy
> just once in this situation?  And asking another level of "why", why
> is rebuilding the policy so slow in the first place?
>

The problem is that policy modules can depend on each other, and since
policy modules can add things both to the global store and to the pool
of stuff other modules can use, it has to be processed serially.

This is why the historical policy was that everything needs to go into
selinux-policy itself. SELinux as a system isn't designed for modular
policies, as it's a system for centralized overlord-style control.

There is definitely some stupid stuff still, though: like
selinux-policy having a vendored copy of container-selinux and the
container tools still requiring their own container-selinux package
anyway. It should be one way or another, not both because it creates
install and upgrade problems occasionally (in addition to the slow
performance issue).

Another issue is that we don't have a good way to do selective
relabeling based on the module being installed, and while the SELinux
tools support multi-threaded operations, it's not the default and none
of the macros use it. And from an image builder perspective, there are
also issues with SELinux tools being very hard to use to set up
policies offline as well.




--
真実はいつも一つ!/ Always, there's only one truth!
-- 
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Reply via email to