separate "touch /.autorelabel" to a new unit

Writing /.autorelabel from fedora-autorelabel does not work because the
script is executed only if relabel was already requested.

Create a new unit fedora-autorelabel-mark.service which will be
responsible for creating /.autorelabel if SELinux is disabled.
The unit takes advantage of the new "ConditionSecurity=" support in
systemd.

The old script checked for a read-only filesystem first. The new unit
does not do that. If / is read-only, touch will simply fail. This should
not be considered as a failure of the unit, so "-" is used in ExecStart.

There have been arguments on systemd-devel that the root directory
should not be abused for flag files like /.autorelabel. It has a long
tradition in Fedora though (since 2005). Maybe we can change it
eventually, but let's keep it where it is for now.

1 files changed, 15 insertions, 0 deletions

diff --git a/systemd/system/fedora-autorelabel-mark.service b/systemd/system/fedora-autorelabel-mark.service
new file mode 100644
index 00000000..33b5147b
--- /dev/null
+++ b/systemd/system/fedora-autorelabel-mark.service
@@ -0,0 +1,15 @@
+[Unit]
+Description=Mark the need to relabel after reboot
+DefaultDependencies=no
+Requires=local-fs.target
+Conflicts=shutdown.target
+After=local-fs.target
+Before=sysinit.target shutdown.target
+ConditionSecurity=!selinux
+ConditionPathIsDirectory=/etc/selinux
+ConditionPathExists=!/.autorelabel
+
+[Service]
+ExecStart=-/bin/touch /.autorelabel
+Type=oneshot
+RemainAfterExit=yes