From 93d8f7b7d63689e9244d1ce942997c0e32bdd7cb Mon Sep 17 00:00:00 2001 From: Michal Schmidt Date: Mon, 4 Apr 2011 09:56:57 +0200 Subject: let systemd check the conditions for fedora-autorelabel The service unit file already checks whether /.autorelabel or the "autorelabel" parameter are present. No need to recheck in the script. Using the new "ConditionSecurity=" feature systemd can also check whether SELinux is enabled. --- systemd/fedora-autorelabel | 21 +++------------------ systemd/system/fedora-autorelabel.service | 1 + 2 files changed, 4 insertions(+), 18 deletions(-) (limited to 'systemd') diff --git a/systemd/fedora-autorelabel b/systemd/fedora-autorelabel index 326837b2..d83040a3 100755 --- a/systemd/fedora-autorelabel +++ b/systemd/fedora-autorelabel @@ -8,17 +8,6 @@ PLYMOUTH= [ -x /usr/bin/plymouth ] && PLYMOUTH=yes -# Check SELinux status -SELINUX_STATE= -if [ -e "/selinux/enforce" ] && [ "$(cat /proc/self/attr/current)" != "kernel" ]; then - if [ -r "/selinux/enforce" ] ; then - SELINUX_STATE=$(cat "/selinux/enforce") - else - # assume enforcing if you can't read it - SELINUX_STATE=1 - fi -fi - relabel_selinux() { # if /sbin/init is not labeled correctly this process is running in the # wrong context, so a reboot will be required after relabel @@ -47,14 +36,10 @@ relabel_selinux() { systemctl --force reboot } -[ -z "${cmdline}" ] && cmdline=$(cat /proc/cmdline) - # Check to see if a full relabel is needed -if [ -n "$SELINUX_STATE" -a "$READONLY" != "yes" ]; then - if strstr "$cmdline" autorelabel || [ -f /.autorelabel ] ; then - restorecon $(awk '!/^#/ && $4 !~ /noauto/ && $2 ~ /^\// { print $2 }' /etc/fstab) >/dev/null 2>&1 - relabel_selinux - fi +if [ "$READONLY" != "yes" ]; then + restorecon $(awk '!/^#/ && $4 !~ /noauto/ && $2 ~ /^\// { print $2 }' /etc/fstab) >/dev/null 2>&1 + relabel_selinux else if [ "$READONLY" != "yes" ] && [ -d /etc/selinux ]; then [ -f /.autorelabel ] || touch /.autorelabel diff --git a/systemd/system/fedora-autorelabel.service b/systemd/system/fedora-autorelabel.service index cd6a84b3..c98a40ff 100644 --- a/systemd/system/fedora-autorelabel.service +++ b/systemd/system/fedora-autorelabel.service @@ -5,6 +5,7 @@ Requires=local-fs.target Conflicts=shutdown.target After=local-fs.target Before=sysinit.target shutdown.target +ConditionSecurity=selinux ConditionKernelCommandLine=|autorelabel ConditionPathExists=|/.autorelabel -- cgit v1.2.1