aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMichal Schmidt <mschmidt@redhat.com>2011-04-04 09:57:08 +0200
committerBill Nottingham <notting@redhat.com>2011-04-04 11:33:11 -0400
commitd88e9d09a6570fe729735740a966ed758ff81141 (patch)
treee9109be38c7a07a5b6197a419f2bed47dc6a9f36
parent4c34204a40e0369442adb9e595ee3d5df5c1bb3f (diff)
downloadinitscripts-d88e9d09a6570fe729735740a966ed758ff81141.tar
initscripts-d88e9d09a6570fe729735740a966ed758ff81141.tar.gz
initscripts-d88e9d09a6570fe729735740a966ed758ff81141.tar.bz2
initscripts-d88e9d09a6570fe729735740a966ed758ff81141.tar.xz
initscripts-d88e9d09a6570fe729735740a966ed758ff81141.zip
separate "touch /.autorelabel" to a new unit
Writing /.autorelabel from fedora-autorelabel does not work because the script is executed only if relabel was already requested. Create a new unit fedora-autorelabel-mark.service which will be responsible for creating /.autorelabel if SELinux is disabled. The unit takes advantage of the new "ConditionSecurity=" support in systemd. The old script checked for a read-only filesystem first. The new unit does not do that. If / is read-only, touch will simply fail. This should not be considered as a failure of the unit, so "-" is used in ExecStart. There have been arguments on systemd-devel that the root directory should not be abused for flag files like /.autorelabel. It has a long tradition in Fedora though (since 2005). Maybe we can change it eventually, but let's keep it where it is for now.
-rw-r--r--Makefile1
-rwxr-xr-xsystemd/fedora-autorelabel4
-rw-r--r--systemd/system/fedora-autorelabel-mark.service15
3 files changed, 16 insertions, 4 deletions
diff --git a/Makefile b/Makefile
index a788e0ae..39dd84e2 100644
--- a/Makefile
+++ b/Makefile
@@ -126,6 +126,7 @@ install:
ln -s ../fedora-loadmodules.service $(ROOT)/lib/systemd/system/basic.target.wants
ln -s ../fedora-autoswap.service $(ROOT)/lib/systemd/system/basic.target.wants
ln -s ../fedora-autorelabel.service $(ROOT)/lib/systemd/system/basic.target.wants
+ ln -s ../fedora-autorelabel-mark.service $(ROOT)/lib/systemd/system/basic.target.wants
ln -s ../fedora-sysinit-hack.service $(ROOT)/lib/systemd/system/basic.target.wants
ln -s ../fedora-readonly.service $(ROOT)/lib/systemd/system/local-fs.target.wants
ln -s ../fedora-storage-init.service $(ROOT)/lib/systemd/system/local-fs.target.wants
diff --git a/systemd/fedora-autorelabel b/systemd/fedora-autorelabel
index 204c5761..dad7a91f 100755
--- a/systemd/fedora-autorelabel
+++ b/systemd/fedora-autorelabel
@@ -37,8 +37,4 @@ relabel_selinux() {
if [ "$READONLY" != "yes" ]; then
restorecon $(awk '!/^#/ && $4 !~ /noauto/ && $2 ~ /^\// { print $2 }' /etc/fstab) >/dev/null 2>&1
relabel_selinux
-else
- if [ "$READONLY" != "yes" ] && [ -d /etc/selinux ]; then
- [ -f /.autorelabel ] || touch /.autorelabel
- fi
fi
diff --git a/systemd/system/fedora-autorelabel-mark.service b/systemd/system/fedora-autorelabel-mark.service
new file mode 100644
index 00000000..33b5147b
--- /dev/null
+++ b/systemd/system/fedora-autorelabel-mark.service
@@ -0,0 +1,15 @@
+[Unit]
+Description=Mark the need to relabel after reboot
+DefaultDependencies=no
+Requires=local-fs.target
+Conflicts=shutdown.target
+After=local-fs.target
+Before=sysinit.target shutdown.target
+ConditionSecurity=!selinux
+ConditionPathIsDirectory=/etc/selinux
+ConditionPathExists=!/.autorelabel
+
+[Service]
+ExecStart=-/bin/touch /.autorelabel
+Type=oneshot
+RemainAfterExit=yes