I'm running Fedora 40 on x86_64. I installed updates via the usual suspect (dnf upgrade) and passt and passt-selinux were upgraded: passt x86_64 0^20241030.gee7d0b6-1.fc40 updates 205 k passt-selinux noarch 0^20241030.gee7d0b6-1.fc40 updates 32 k Everything appears to have installed fine, but the scriptlet for passt-selinux has been running for about 45 minutes now. I'm not sure whether it's expected to take this long, but I obviously don't want to just kill it. The command in question appears in `htop` as: /sbin/restorecon -e /sys -e /proc -e /mnt -e /var/tmp -e /home -e /root -e /tmp -i -R -f - and is running with ~95% of a CPU core. UPDATE: Had a bit of a breakthrough. I noticed that `/usr/libexec/packagekitd` also was also popping up w/ 100% of a CPU core. It appears that the restorecon was thrashing packagekitd for some reason. I did a `systemctl stop packagekit` and the restorecon finished w/in seconds. There's nothing unusual in the packagekit journal during the period when the upgrade was running before I stopped it. Packagekit info in case it's useful: Installed Packages Name : PackageKit Version : 1.2.8 Release : 8.fc40 Architecture : x86_64 Size : 2.9 M Source : PackageKit-1.2.8-8.fc40.src.rpm Repository : @System From repo : updates Reproducible: Didn't try
Garrett, thanks for reporting this. The installation scriptlets for passt-selinux use the %selinux_relabel_pre and %selinux_relabel_post macros: the former prepares a list of SELinux contexts for the affected files, and the latter ensures we relabel only the affected files. I wouldn't expect such a wide 'restorecon' to be issued as a result of that, so I have a couple of questions: - did you have a look at the parent process for that 'restorecon' command? - was the passt-selinux scriptlet just running for a very long time, or it also had very high CPU usage? - I haven't tried to reproduce this yet... do you think you would have a chance to? How big was the package update otherwise?
Hello, I'm experiencing the same issue. During the previous dnf upgrade I killed the upgrade process, this time I'm still waiting for it to finish: dnf output: 228/265] Removing qemu-device-display-virtio-gpu-rutabaga-2:9.1.1-2.fc41.x86_64 100% | 129.0 B/s | 4.0 B | 00m00s [229/265] Removing qemu-device-usb-redirect-2:9.1.1-2.fc41.x86_64 100% | 800.0 B/s | 4.0 B | 00m00s [230/265] Removing qemu-ui-curses-2:9.1.1-2.fc41.x86_64 100% | 1.0 KiB/s | 4.0 B | 00m00s [231/265] Removing intel-gmmlib-0:22.5.2-1.fc41.x86_64 100% | 1.8 KiB/s | 9.0 B | 00m00s [232/265] Removing qemu-block-blkio-2:9.1.1-2.fc41.x86_64 100% | 1.3 KiB/s | 4.0 B | 00m00s [233/265] Removing qemu-block-dmg-2:9.1.1-2.fc41.x86_64 100% | 1.3 KiB/s | 4.0 B | 00m00s [234/265] Removing qemu-block-gluster-2:9.1.1-2.fc41.x86_64 100% | 105.0 B/s | 4.0 B | 00m00s [235/265] Removing qemu-ui-egl-headless-2:9.1.1-2.fc41.x86_64 100% | 800.0 B/s | 4.0 B | 00m00s [236/265] Removing qemu-ui-opengl-2:9.1.1-2.fc41.x86_64 100% | 800.0 B/s | 4.0 B | 00m00s [237/265] Removing qemu-device-display-virtio-gpu-pci-gl-2:9.1.1-2.fc41.x86_64 100% | 1.0 KiB/s | 4.0 B | 00m00s [238/265] Removing rubygem-irb-0:1.13.1-14.fc41.noarch 100% | 23.6 KiB/s | 169.0 B | 00m00s [239/265] Removing qemu-device-display-virtio-gpu-gl-2:9.1.1-2.fc41.x86_64 100% | 125.0 B/s | 4.0 B | 00m00s [240/265] Removing rubygem-rdoc-0:6.6.3.1-14.fc41.noarch 100% | 9.2 KiB/s | 198.0 B | 00m00s [241/265] Removing qemu-device-display-virtio-gpu-ccw-2:9.1.1-2.fc41.x86_64 100% | 1.0 KiB/s | 4.0 B | 00m00s [242/265] Removing qemu-device-display-virtio-gpu-pci-rutabaga-2:9.1.1-2.fc41.x86_64 100% | 750.0 B/s | 3.0 B | 00m00s [243/265] Removing qemu-device-display-virtio-gpu-pci-2:9.1.1-2.fc41.x86_64 100% | 1.0 KiB/s | 4.0 B | 00m00s [244/265] Removing qemu-device-display-virtio-vga-gl-2:9.1.1-2.fc41.x86_64 100% | 75.0 B/s | 3.0 B | 00m00s [245/265] Removing qemu-device-display-virtio-vga-rutabaga-2:9.1.1-2.fc41.x86_64 100% | 1.0 KiB/s | 4.0 B | 00m00s [246/265] Removing rubygem-io-console-0:0.7.1-14.fc41.x86_64 100% | 4.9 KiB/s | 15.0 B | 00m00s [247/265] Removing rubygem-psych-0:5.1.2-14.fc41.x86_64 100% | 10.5 KiB/s | 54.0 B | 00m00s [248/265] Removing ruby-default-gems-0:3.3.5-14.fc41.noarch 100% | 10.0 KiB/s | 72.0 B | 00m00s [249/265] Removing rubygems-0:3.5.16-14.fc41.noarch 100% | 14.9 KiB/s | 305.0 B | 00m00s [250/265] Removing passt-selinux-0:0^20241030.gee7d0b6-1.fc41.noarch 100% | 58.0 B/s | 3.0 B | 00m00s [251/265] Removing selinux-policy-0:41.25-1.fc41.noarch 100% | 200.0 B/s | 12.0 B | 00m00s [252/265] Removing selinux-policy-targeted-0:41.25-1.fc41.noarch 100% | 19.9 KiB/s | 1.7 KiB | 00m00s [253/265] Removing evolution-data-server-langpacks-0:3.54.1-1.fc41.noarch 100% | 4.8 KiB/s | 89.0 B | 00m00s [254/265] Removing grub2-common-1:2.12-10.fc41.noarch 100% | 9.3 KiB/s | 57.0 B | 00m00s [255/265] Removing pcp-conf-0:6.3.1-1.fc41.x86_64 100% | 6.2 KiB/s | 19.0 B | 00m00s [256/265] Removing cups-filesystem-1:2.4.11-2.fc41.noarch 100% | 387.0 B/s | 12.0 B | 00m00s [257/265] Removing mutter-common-0:47.1-2.fc41.noarch 100% | 2.0 KiB/s | 8.0 B | 00m00s [258/265] Removing ruby-libs-0:3.3.5-14.fc41.x86_64 100% | 8.2 KiB/s | 596.0 B | 00m00s [259/265] Removing qemu-device-display-virtio-vga-2:9.1.1-2.fc41.x86_64 100% | 800.0 B/s | 4.0 B | 00m00s [260/265] Removing qemu-device-display-virtio-gpu-2:9.1.1-2.fc41.x86_64 100% | 1.0 KiB/s | 4.0 B | 00m00s [261/265] Removing qemu-common-2:9.1.1-2.fc41.x86_64 100% | 1.9 KiB/s | 100.0 B | 00m00s [262/265] Removing glibc-0:2.40-11.fc41.x86_64 100% | 6.5 KiB/s | 100.0 B | 00m00s [263/265] Removing glibc-langpack-en-0:2.40-11.fc41.x86_64 100% | 80.1 KiB/s | 492.0 B | 00m00s [264/265] Removing glibc-gconv-extra-0:2.40-11.fc41.x86_64 100% | 7.7 KiB/s | 627.0 B | 00m00s [265/265] Removing glibc-common-0:2.40-11.fc41.x86_64 100% [==================] | 2.0 B/s | 53.0 B | -00m00s >>> Running post-transaction scriptlet: passt-selinux-0:0^20241121.g238c69f-1.fc41.noarch pstree: root@m ~ [SIGINT]# pstree -pa | rg dnf -C 10 | | | |-{Xwayland},6327 | | | |-{Xwayland},6328 | | | |-{Xwayland},6329 | | | |-{Xwayland},6330 | | | |-{Xwayland},6331 | | | |-{Xwayland},6332 | | | |-{Xwayland},6333 | | | `-{Xwayland},6387 | | |-alacritty,57416 | | | |-fish,57483 | | | | `-sudo,57952 dnf upgrade --refresh | | | | `-sudo,57981 dnf upgrade --refresh | | | | `-dnf,57982 upgrade --refresh | | | | |-sh,59778 /var/tmp/rpm-tmp.SadBzo 2 | | | | | `-fixfiles,59781 /sbin/fixfiles -C /var/lib/rpm-state/file_contexts.pre restore | | | | | `-restorecon,60420 -e /sys -e /proc -e /mnt -e /var/tmp -e /home -e /root -e /tmp -i -R ... | | | | `-{dnf},58249 strace reports huge amount of operations, so this is just a small part: newfstatat(AT_FDCWD, "/var/lib/docker/btrfs/subvolumes/5wr04963gk9y47tfni8njvvp8/usr/include/libwmf/gd/gdcache.h", {st_mode=S_IFREG|0644, st_size=2679, ...}, AT_SYMLINK_NOFOLLOW) = 0 newfstatat(AT_FDCWD, "/var/lib/docker/btrfs/subvolumes/5wr04963gk9y47tfni8njvvp8/usr/include/libwmf/gd/gdfontg.h", {st_mode=S_IFREG|0644, st_size=490, ...}, AT_SYMLINK_NOFOLLOW) = 0 newfstatat(AT_FDCWD, "/var/lib/docker/btrfs/subvolumes/5wr04963gk9y47tfni8njvvp8/usr/include/libwmf/gd/gdfontl.h", {st_mode=S_IFREG|0644, st_size=488, ...}, AT_SYMLINK_NOFOLLOW) = 0 newfstatat(AT_FDCWD, "/var/lib/docker/btrfs/subvolumes/5wr04963gk9y47tfni8njvvp8/usr/include/libwmf/gd/gdfontmb.h", {st_mode=S_IFREG|0644, st_size=451, ...}, AT_SYMLINK_NOFOLLOW) = 0 newfstatat(AT_FDCWD, "/var/lib/docker/btrfs/subvolumes/5wr04963gk9y47tfni8njvvp8/usr/include/libwmf/gd/gdfonts.h", {st_mode=S_IFREG|0644, st_size=452, ...}, AT_SYMLINK_NOFOLLOW) = 0 newfstatat(AT_FDCWD, "/var/lib/docker/btrfs/subvolumes/5wr04963gk9y47tfni8njvvp8/usr/include/libwmf/gd/gdfontt.h", {st_mode=S_IFREG|0644, st_size=484, ...}, AT_SYMLINK_NOFOLLOW) = 0 getdents64(3, 0x55ae3c17cf40 /* 0 entries */, 32768) = 0 close(3) = 0 lgetxattr("/var/lib/docker/btrfs/subvolumes/5wr04963gk9y47tfni8njvvp8/usr/include/libwmf/gd/gd.h", "security.selinux", "system_u:object_r:container_var_"..., 255) = 41 lgetxattr("/var/lib/docker/btrfs/subvolumes/5wr04963gk9y47tfni8njvvp8/usr/include/libwmf/gd/gd_clip.h", "security.selinux", "system_u:object_r:container_var_"..., 255) = 41 lgetxattr("/var/lib/docker/btrfs/subvolumes/5wr04963gk9y47tfni8njvvp8/usr/include/libwmf/gd/gd_io.h", "security.selinux", "system_u:object_r:container_var_"..., 255) = 41 lgetxattr("/var/lib/docker/btrfs/subvolumes/5wr04963gk9y47tfni8njvvp8/usr/include/libwmf/gd/gdcache.h", "security.selinux", "system_u:object_r:container_var_"..., 255) = 41 lgetxattr("/var/lib/docker/btrfs/subvolumes/5wr04963gk9y47tfni8njvvp8/usr/include/libwmf/gd/gdfontg.h", "security.selinux", "system_u:object_r:container_var_"..., 255) = 41 lgetxattr("/var/lib/docker/btrfs/subvolumes/5wr04963gk9y47tfni8njvvp8/usr/include/libwmf/gd/gdfontl.h", "security.selinux", "system_u:object_r:container_var_"..., 255) = 41 lgetxattr("/var/lib/docker/btrfs/subvolumes/5wr04963gk9y47tfni8njvvp8/usr/include/libwmf/gd/gdfontmb.h", "security.selinux", "system_u:object_r:container_var_"..., 255) = 41 lgetxattr("/var/lib/docker/btrfs/subvolumes/5wr04963gk9y47tfni8njvvp8/usr/include/libwmf/gd/gdfonts.h", "security.selinux", "system_u:object_r:container_var_"..., 255) = 41 lgetxattr("/var/lib/docker/btrfs/subvolumes/5wr04963gk9y47tfni8njvvp8/usr/include/libwmf/gd/gdfontt.h", "security.selinux", "system_u:object_r:container_var_"..., 255) = 41 lgetxattr("/var/lib/docker/btrfs/subvolumes/5wr04963gk9y47tfni8njvvp8/usr/include/libwmf/gd.h", "security.selinux", "system_u:object_r:container_var_"..., 255) = 41 lgetxattr("/var/lib/docker/btrfs/subvolumes/5wr04963gk9y47tfni8njvvp8/usr/include/libwmf/ipa.h", "security.selinux", "system_u:object_r:container_var_"..., 255) = 41 lgetxattr("/var/lib/docker/btrfs/subvolumes/5wr04963gk9y47tfni8njvvp8/usr/include/libwmf/macro.h", "security.selinux", "system_u:object_r:container_var_"..., 255) = 41 lgetxattr("/var/lib/docker/btrfs/subvolumes/5wr04963gk9y47tfni8njvvp8/usr/include/libwmf/svg.h", "security.selinux", "system_u:object_r:container_var_"..., 255) = 41 lgetxattr("/var/lib/docker/btrfs/subvolumes/5wr04963gk9y47tfni8njvvp8/usr/include/libwmf/types.h", "security.selinux", "system_u:object_r:container_var_"..., 255) = 41 lgetxattr("/var/lib/docker/btrfs/subvolumes/5wr04963gk9y47tfni8njvvp8/usr/include/libwmf/x.h", "security.selinux", "system_u:object_r:container_var_"..., 255) = 41 lgetxattr("/var/lib/docker/btrfs/subvolumes/5wr04963gk9y47tfni8njvvp8/usr/include/libxml2", "security.selinux", "system_u:object_r:container_var_"..., 255) = 41 openat(AT_FDCWD, "/var/lib/docker/btrfs/subvolumes/5wr04963gk9y47tfni8njvvp8/usr/include/libxml2", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0755, st_size=12, ...}) = 0 getdents64(3, 0x55ae3c17cf40 /* 3 entries */, 32768) = 80 newfstatat(AT_FDCWD, "/var/lib/docker/btrfs/subvolumes/5wr04963gk9y47tfni8njvvp8/usr/include/libxml2/libxml", {st_mode=S_IFDIR|0755, st_size=930, ...}, AT_SYMLINK_NOFOLLOW) = 0 getdents64(3, 0x55ae3c17cf40 /* 0 entries */, 32768) = 0 close(3) = 0 lgetxattr("/var/lib/docker/btrfs/subvolumes/5wr04963gk9y47tfni8njvvp8/usr/include/libxml2/libxml", "security.selinux", "system_u:object_r:container_var_"..., 255) = 41 openat(AT_FDCWD, "/var/lib/docker/btrfs/subvolumes/5wr04963gk9y47tfni8njvvp8/usr/include/libxml2/libxml", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0755, st_size=930, ...}) = 0 getdents64(3, 0x55ae3c17cf40 /* 49 entries */, 32768) = 1592 newfstatat(AT_FDCWD, "/var/lib/docker/btrfs/subvolumes/5wr04963gk9y47tfni8njvvp8/usr/include/libxml2/libxml/DOCBparser.h", {st_mode=S_IFREG|0644, st_size=3157, ...}, AT_SYMLINK_NOFOLLOW) = 0 newfstatat(AT_FDCWD, "/var/lib/docker/btrfs/subvolumes/5wr04963gk9y47tfni8njvvp8/usr/include/libxml2/libxml/HTMLparser.h", {st_mode=S_IFREG|0644, st_size=9410, ...}, AT_SYMLINK_NOFOLLOW) = 0 newfstatat(AT_FDCWD, "/var/lib/docker/btrfs/subvolumes/5wr04963gk9y47tfni8njvvp8/usr/include/libxml2/libxml/HTMLtree.h", {st_mode=S_IFREG|0644, st_size=3646, ...}, AT_SYMLINK_NOFOLLOW) = 0 newfstatat(AT_FDCWD, "/var/lib/docker/btrfs/subvolumes/5wr04963gk9y47tfni8njvvp8/usr/include/libxml2/libxml/SAX.h", {st_mode=S_IFREG|0644, st_size=4341, ...}, AT_SYMLINK_NOFOLLOW) = 0 newfstatat(AT_FDCWD, "/var/lib/docker/btrfs/subvolumes/5wr04963gk9y47tfni8njvvp8/usr/include/libxml2/libxml/SAX2.h", {st_mode=S_IFREG|0644, st_size=4949, ...}, AT_SYMLINK_NOFOLLOW) = 0 newfstatat(AT_FDCWD, "/var/lib/docker/btrfs/subvolumes/5wr04963gk9y47tfni8njvvp8/usr/include/libxml2/libxml/c14n.h", {st_mode=S_IFREG|0644, st_size=3115, ...}, AT_SYMLINK_NOFOLLOW) = 0 newfstatat(AT_FDCWD, "/var/lib/docker/btrfs/subvolumes/5wr04963gk9y47tfni8njvvp8/usr/include/libxml2/libxml/catalog.h", {st_mode=S_IFREG|0644, st_size=4906, ...}, AT_SYMLINK_NOFOLLOW) = 0 newfstatat(AT_FDCWD, "/var/lib/docker/btrfs/subvolumes/5wr04963gk9y47tfni8njvvp8/usr/include/libxml2/libxml/chvalid.h", {st_mode=S_IFREG|0644, st_size=5159, ...}, AT_SYMLINK_NOFOLLOW) = 0 newfstatat(AT_FDCWD, "/var/lib/docker/btrfs/subvolumes/5wr04963gk9y47tfni8njvvp8/usr/include/libxml2/libxml/debugXML.h", {st_mode=S_IFREG|0644, st_size=5152, ...}, AT_SYMLINK_NOFOLLOW) = 0 the CPU usage is high and the laptop fan is very noisy
(In reply to Martin Sehnoutka from comment #2) > | | | | | `-restorecon,60420 -e /sys -e /proc -e > /mnt -e /var/tmp -e /home -e /root -e /tmp -i -R ... > | | | | `-{dnf},58249 > > [...] > > newfstatat(AT_FDCWD, > "/var/lib/docker/btrfs/subvolumes/5wr04963gk9y47tfni8njvvp8/usr/include/ > libwmf/gd/gdcache.h", {st_mode=S_IFREG|0644, st_size=2679, ...}, > AT_SYMLINK_NOFOLLOW) = 0 > newfstatat(AT_FDCWD, > "/var/lib/docker/btrfs/subvolumes/5wr04963gk9y47tfni8njvvp8/usr/include/ > libwmf/gd/gdfontg.h", {st_mode=S_IFREG|0644, st_size=490, ...}, > AT_SYMLINK_NOFOLLOW) = 0 > > [...] Ouch, it's relabeling the whole filesystem. I'm still trying to find out why.
Petr, do you have a hint for me here? The passt-selinux scriptlets are the "recommended": -- %pre selinux %selinux_relabel_pre -s %{selinuxtype} %post selinux %selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/passt.pp %selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/pasta.pp %postun selinux if [ $1 -eq 0 ]; then %selinux_modules_uninstall -s %{selinuxtype} passt %selinux_modules_uninstall -s %{selinuxtype} pasta fi %posttrans selinux %selinux_relabel_post -s %{selinuxtype} -- and since some time %selinux_relabel_post decides to relabel the whole root filesystem (and beyond?). What am I doing wrong?
It's probably the known problem which rarely happens, see https://bugzilla.redhat.com/show_bug.cgi?id=2318279 It's related to changes in selinux-policy which affect high level paths like /usr/ and which use regexp. E.g. If there's a change like sbin -> bin merge the scriptlet runs relabel on whole /usr and it could take its time.
(In reply to Petr Lautrbach from comment #5) > It's probably the known problem which rarely happens, see > https://bugzilla.redhat.com/show_bug.cgi?id=2318279 > > It's related to changes in selinux-policy which affect high level paths like > /usr/ and which use regexp. E.g. If there's a change like sbin -> bin merge > the scriptlet runs relabel on whole /usr and it could take its time. Thanks Petr for the explanation! Garrett, Martin, there isn't much we can do: this upgrade will take a long time, but it's a one-off thing. It's not specific to passt-selinux files, it's just that this package triggers a relabeling at the end of the transaction. I would mark this as duplicate of bz2318279 if it makes sense to you. Let me know.
Yes, I saw that commit in selinux policy, it is not a great upgrade path, but I completely understand there is not much to do. Thanks! :-) Closing the bug as duplicate makes sense to me.
Wasn't able to reproduce this on my other system, but closing as duplicate makes sense I think. Curious that it finished when I stopped packagekit, but that might've just been a coincidence. Thanks for the investigation. *** This bug has been marked as a duplicate of bug 2318279 ***