If pulp-selinux is being installed or uninstalled it has to run the restorecon statements. If there is a lot of file contents in the pulp areas of the filesystem, the SELinux policy needs to take its time to label them properly or the SELinux policy won't work. Labeling them asynchronously is not viable IMO either because there is an expectation from the user that once the pulp-selinux install is complete they are protected, but asynchronous labeling would not yet be in place so they would still be vulnerable. I believe the way to resolve this is to avoid doing work necessarily. The reason we do work unecessarily is because pulp-selinux is versioned in lock-step with Pulp. We should not have pulp-selinux lock step version with Pulp. To do that right it needs to be moved to its own package with its own version. There are a few practical things that prevent us from doing that right now, but we're working through those. If pulp-selinux was not upgraded everytime a new Pulp release comes out then yum wouldn't even run the restorecon statements unless it actually needs to.
You can also detect when changes are made, and only run restorecon on the applicable paths. This works better anyway, because if the future separated pulp-selinux has a small change unrelated to /var/lib/pulp, you don't also relabel that. I haven't looked into this too much, but it may help: 14:09 | stbenjam > is it typical to always run restorecon in a -selinux PRM %post? this is insane on pulp-selinux... /var/lib/pulp has hundreds of thousands of files :-( 14:11 | Dominic > stbenjam: you can optimise it in various ways, see fixfiles -C and probably selinux-policy pre/post script 14:11 | Dominic > stbenjam: I think you're basically only restoring contexts of files where there's a change in fcontext 14:21 | Dominic > stbenjam: line 277-282 in %pre, followed by 263-268 in %post.. http://pkgs.fedoraproject.org/cgit/selinux-policy.git/tree/selinux-policy.spec#n265
Moved to https://pulp.plan.io/issues/540