On Thu, May 29, 2025 at 07:35:28PM +0200, Petr Lautrbach wrote: > Neal Gompa <ngomp...@gmail.com> writes: > > > On Thu, May 29, 2025 at 6:16 AM Richard W.M. Jones <rjo...@redhat.com> > > wrote: > >> > >> [This is a general moan / observation ... Sorry!] > >> > >> SELinux policy is sometimes now split so that packages can carry their > >> own policy subpackage. Examples include: > >> > >> https://src.fedoraproject.org/rpms/passt/blob/rawhide/f/passt.spec#_36 > >> https://src.fedoraproject.org/rpms/nbdkit/blob/rawhide/f/nbdkit.spec#_751 > > one thing it could be simply fixed: > > https://src.fedoraproject.org/rpms/passt/blob/rawhide/f/passt.spec#_91 > > There's no need to run the macro 3 times - all modules can be installed > in one run using > > %selinux_modules_install -s %{selinuxtype} \ > %{_datadir}/selinux/packages/%{selinuxtype}/passt.pp \ > %{_datadir}/selinux/packages/%{selinuxtype}/pasta.pp \ > %{_datadir}/selinux/packages/%{selinuxtype}/passt-repair.pp
Thanks, this might explain why this particular package takes much longer than the others to install. Rich. > > >> > >> I've recently been installing a lot of VMs with virt-v2v, and of the > >> approximately 3 minutes spent installing the required packages, I'd > >> estimate that around 2 minutes is spent running the *-selinux > >> post-install scripts for swtpm-seinux, passt-selinux and > >> nbdkit-selinux. For some reason passt-selinux is particularly > >> excessive (I eyeballed it at around 75 seconds). > >> > >> I wonder if there's a way we could have RPM rebuild the SELinux policy > >> just once in this situation? And asking another level of "why", why > >> is rebuilding the policy so slow in the first place? > >> > > > > The problem is that policy modules can depend on each other, and since > > policy modules can add things both to the global store and to the pool > > of stuff other modules can use, it has to be processed serially. > > Well, no. > > If a policy rule depends on a type from another module which is not > from base policy, it need to be in optional_policy block, > > https://fedoraproject.org/wiki/SELinux/IndependentPolicy#Custom_policy_modules_and_distribution_policy > > > > > This is why the historical policy was that everything needs to go into > > selinux-policy itself. SELinux as a system isn't designed for modular > > policies, as it's a system for centralized overlord-style control. > > There are two types of policy - monolithic and modular. Fedora has been using > modular policy for ages. Also for almost 10 upstream releases, SELinux > policy store supports priorities on modules. It means you can override > base module with your changed module using a higher priority than 100. > > We use priorities to differentiate modules from selinux-policy package - > priority 100, from -selinux subpackages - priority 200, setroubleshoot > suggests to use priority 300 and local user modules uses default > priority 400 > > https://github.com/SELinuxProject/selinux-notebook/blob/main/src/types_of_policy.md > https://plautrba.fedorapeople.org/selinux-modules-and-priority.html > > > > There is definitely some stupid stuff still, though: like > > selinux-policy having a vendored copy of container-selinux and the > > container tools still requiring their own container-selinux package > > anyway. It should be one way or another, not both because it creates > > install and upgrade problems occasionally (in addition to the slow > > performance issue). > > > > This is much more complicated and the issue is originated in times when > container policy was part of Fedora policy. It didn't scale, container > team needed to progress much faster then selinux-policy team was able > to. > > > > > Another issue is that we don't have a good way to do selective > > relabeling based on the module being installed, and while the SELinux > > tools support multi-threaded operations, it's not the default and none > > of the macros use it. And from an image builder perspective, there are > > also issues with SELinux tools being very hard to use to set up > > policies offline as well. > > > > This is not correct. > > There's %selinux_relabel_pre macro which stores file contexts before > policy is installed, and %selinux_relabel_post which relabels only > directories affected by the change in policy - this is not perfect > though as in some cases it could cause relabeling of the whole fs > > https://fedoraproject.org/wiki/SELinux/IndependentPolicy#The_%prep_and_%install_Section > > https://bugzilla.redhat.com/show_bug.cgi?id=2318279 > > > > > > > > > > > -- > > 真実はいつも一つ!/ Always, there's only one truth! > > -- > > _______________________________________________ > > devel mailing list -- devel@lists.fedoraproject.org > > To unsubscribe send an email to devel-le...@lists.fedoraproject.org > > Fedora Code of Conduct: > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > > https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org > > Do not reply to spam, report it: > > https://pagure.io/fedora-infrastructure/new_issue > > -- > _______________________________________________ > devel mailing list -- devel@lists.fedoraproject.org > To unsubscribe send an email to devel-le...@lists.fedoraproject.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones Read my programming and virtualization blog: http://rwmj.wordpress.com virt-builder quickly builds VMs from scratch http://libguestfs.org/virt-builder.1.html -- _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
