diff options
author | Michal Schmidt <mschmidt@redhat.com> | 2011-04-04 09:56:57 +0200 |
---|---|---|
committer | Bill Nottingham <notting@redhat.com> | 2011-04-04 11:33:11 -0400 |
commit | 93d8f7b7d63689e9244d1ce942997c0e32bdd7cb (patch) | |
tree | 7f3b77cc6c62dca7077f09509cc8a2c7c23f9fae | |
parent | bbeaaf153d9feb059f658aab0c59a865856ff407 (diff) | |
download | initscripts-93d8f7b7d63689e9244d1ce942997c0e32bdd7cb.tar initscripts-93d8f7b7d63689e9244d1ce942997c0e32bdd7cb.tar.gz initscripts-93d8f7b7d63689e9244d1ce942997c0e32bdd7cb.tar.bz2 initscripts-93d8f7b7d63689e9244d1ce942997c0e32bdd7cb.tar.xz initscripts-93d8f7b7d63689e9244d1ce942997c0e32bdd7cb.zip |
let systemd check the conditions for fedora-autorelabel
The service unit file already checks whether /.autorelabel or the
"autorelabel" parameter are present. No need to recheck in the script.
Using the new "ConditionSecurity=" feature systemd can also check
whether SELinux is enabled.
-rwxr-xr-x | systemd/fedora-autorelabel | 21 | ||||
-rw-r--r-- | systemd/system/fedora-autorelabel.service | 1 |
2 files changed, 4 insertions, 18 deletions
diff --git a/systemd/fedora-autorelabel b/systemd/fedora-autorelabel index 326837b2..d83040a3 100755 --- a/systemd/fedora-autorelabel +++ b/systemd/fedora-autorelabel @@ -8,17 +8,6 @@ PLYMOUTH= [ -x /usr/bin/plymouth ] && PLYMOUTH=yes -# Check SELinux status -SELINUX_STATE= -if [ -e "/selinux/enforce" ] && [ "$(cat /proc/self/attr/current)" != "kernel" ]; then - if [ -r "/selinux/enforce" ] ; then - SELINUX_STATE=$(cat "/selinux/enforce") - else - # assume enforcing if you can't read it - SELINUX_STATE=1 - fi -fi - relabel_selinux() { # if /sbin/init is not labeled correctly this process is running in the # wrong context, so a reboot will be required after relabel @@ -47,14 +36,10 @@ relabel_selinux() { systemctl --force reboot } -[ -z "${cmdline}" ] && cmdline=$(cat /proc/cmdline) - # Check to see if a full relabel is needed -if [ -n "$SELINUX_STATE" -a "$READONLY" != "yes" ]; then - if strstr "$cmdline" autorelabel || [ -f /.autorelabel ] ; then - restorecon $(awk '!/^#/ && $4 !~ /noauto/ && $2 ~ /^\// { print $2 }' /etc/fstab) >/dev/null 2>&1 - relabel_selinux - fi +if [ "$READONLY" != "yes" ]; then + restorecon $(awk '!/^#/ && $4 !~ /noauto/ && $2 ~ /^\// { print $2 }' /etc/fstab) >/dev/null 2>&1 + relabel_selinux else if [ "$READONLY" != "yes" ] && [ -d /etc/selinux ]; then [ -f /.autorelabel ] || touch /.autorelabel diff --git a/systemd/system/fedora-autorelabel.service b/systemd/system/fedora-autorelabel.service index cd6a84b3..c98a40ff 100644 --- a/systemd/system/fedora-autorelabel.service +++ b/systemd/system/fedora-autorelabel.service @@ -5,6 +5,7 @@ Requires=local-fs.target Conflicts=shutdown.target After=local-fs.target Before=sysinit.target shutdown.target +ConditionSecurity=selinux ConditionKernelCommandLine=|autorelabel ConditionPathExists=|/.autorelabel |