executor: lazily load SELinux

Loading the SELinux DB on every invocation can be slow and
takes 2ms-10ms, so do not initialize it unconditionally, but
wait for the first use. On a mkosi Fedora rawhide image, this
cuts the number of loads in half.

diff --git a/src/core/executor.c b/src/core/executor.c
index 86fbaef347060de31d9114c633c725c8c79b8881..e07a6890743aacba2b34d6ee0605b220abc3d2ba 100644 (file)
--- a/src/core/executor.c
+++ b/src/core/executor.c
@@ -199,10 +199,6 @@ int main(int argc, char *argv[]) {
         log_set_prohibit_ipc(true);
         log_setup();
 
-        r = mac_init();
-        if (r < 0)
-                return log_error_errno(r, "Failed to initialize MAC layer: %m");
-
         r = fdset_new_fill(/* filter_cloexec= */ 0, &fdset);
         if (r < 0)
                 return log_error_errno(r, "Failed to create fd set: %m");
@@ -217,6 +213,13 @@ int main(int argc, char *argv[]) {
                 log_open();
         }
 
+        /* Initialize lazily. SMACK is just a few operations, but the SELinux is very slow as it requires
+         * loading the entire database in memory, so we will do it lazily only if it is actually needed, to
+         * avoid wasting 2ms-10ms for each sd-executor that gets spawned. */
+        r = mac_init_lazy();
+        if (r < 0)
+                return log_error_errno(r, "Failed to initialize MAC layer: %m");
+
         r = fdset_remove(fdset, fileno(arg_serialization));
         if (r < 0)
                 return log_error_errno(r, "Failed to remove serialization fd from fd set: %m");