I have a microos system, which installs upgrades every week and reboots. It has been running well for years.
Since around the kernel 7 upgrade, boot times have however been extremely long. The culprit is selinux relabling (i.e from systemd-analyze blame: 53min 14.331s mnt-mydisk-relabel.service) . It looks like a full relabling is happening on the filesystems, which takes a long time, since this is a storage system with large disks.
Rebooting without first upgrading (i.e transactional-update dup), is quick an no relabeling is done on the filesystem.
My understanding is that a full relabeling of an entire filesystem should always never be done.
How does the system determine if relabeling is required? Is there anything on upgrades (perhaps a recent change) that forces a relabel?
Hiya. MicroOS relabels the entire filesystem every time SELinux is updated. It is a normal behavior.
Even for additionally mounted partitions? I didn’t seem to see this behavior previously, but it was something that started happening (the slow boot) fairly recently. I wonder if there was some changes that has caused this?
Is there a way to disable it on specific partitions perhaps? It does not seem sensible to do a full relabel on large drives every upgrade, since it is highly time consuming.
I think so? At least I have /home/ on separate drive and it is being relabeled as well.
According to a man page you can add folders you want to exclude into /etc/selinux/fixfiles_exclude_dirs config. I haven’t tried it but hope it helps. You can test it by triggering a relabel using touch /etc/selinux/.autorelabel command.
That seems like a sensible solution to exclude the large data dirs.
Is it required to undo the relabeling in these locations somehow when excluding them?
I guess you can leave it as is? If you’ll erase labels SELinux is likely to block things. And you’ll need to relabel those folders manually whenever you’ll encounter SELinux problems.