diff options
author | Michal Schmidt <mschmidt@redhat.com> | 2011-04-04 09:57:08 +0200 |
---|---|---|
committer | Bill Nottingham <notting@redhat.com> | 2011-04-04 11:33:11 -0400 |
commit | d88e9d09a6570fe729735740a966ed758ff81141 (patch) | |
tree | e9109be38c7a07a5b6197a419f2bed47dc6a9f36 | |
parent | 4c34204a40e0369442adb9e595ee3d5df5c1bb3f (diff) | |
download | initscripts-d88e9d09a6570fe729735740a966ed758ff81141.tar initscripts-d88e9d09a6570fe729735740a966ed758ff81141.tar.gz initscripts-d88e9d09a6570fe729735740a966ed758ff81141.tar.bz2 initscripts-d88e9d09a6570fe729735740a966ed758ff81141.tar.xz initscripts-d88e9d09a6570fe729735740a966ed758ff81141.zip |
separate "touch /.autorelabel" to a new unit
Writing /.autorelabel from fedora-autorelabel does not work because the
script is executed only if relabel was already requested.
Create a new unit fedora-autorelabel-mark.service which will be
responsible for creating /.autorelabel if SELinux is disabled.
The unit takes advantage of the new "ConditionSecurity=" support in
systemd.
The old script checked for a read-only filesystem first. The new unit
does not do that. If / is read-only, touch will simply fail. This should
not be considered as a failure of the unit, so "-" is used in ExecStart.
There have been arguments on systemd-devel that the root directory
should not be abused for flag files like /.autorelabel. It has a long
tradition in Fedora though (since 2005). Maybe we can change it
eventually, but let's keep it where it is for now.
-rw-r--r-- | Makefile | 1 | ||||
-rwxr-xr-x | systemd/fedora-autorelabel | 4 | ||||
-rw-r--r-- | systemd/system/fedora-autorelabel-mark.service | 15 |
3 files changed, 16 insertions, 4 deletions
@@ -126,6 +126,7 @@ install: ln -s ../fedora-loadmodules.service $(ROOT)/lib/systemd/system/basic.target.wants ln -s ../fedora-autoswap.service $(ROOT)/lib/systemd/system/basic.target.wants ln -s ../fedora-autorelabel.service $(ROOT)/lib/systemd/system/basic.target.wants + ln -s ../fedora-autorelabel-mark.service $(ROOT)/lib/systemd/system/basic.target.wants ln -s ../fedora-sysinit-hack.service $(ROOT)/lib/systemd/system/basic.target.wants ln -s ../fedora-readonly.service $(ROOT)/lib/systemd/system/local-fs.target.wants ln -s ../fedora-storage-init.service $(ROOT)/lib/systemd/system/local-fs.target.wants diff --git a/systemd/fedora-autorelabel b/systemd/fedora-autorelabel index 204c5761..dad7a91f 100755 --- a/systemd/fedora-autorelabel +++ b/systemd/fedora-autorelabel @@ -37,8 +37,4 @@ relabel_selinux() { if [ "$READONLY" != "yes" ]; then restorecon $(awk '!/^#/ && $4 !~ /noauto/ && $2 ~ /^\// { print $2 }' /etc/fstab) >/dev/null 2>&1 relabel_selinux -else - if [ "$READONLY" != "yes" ] && [ -d /etc/selinux ]; then - [ -f /.autorelabel ] || touch /.autorelabel - fi fi diff --git a/systemd/system/fedora-autorelabel-mark.service b/systemd/system/fedora-autorelabel-mark.service new file mode 100644 index 00000000..33b5147b --- /dev/null +++ b/systemd/system/fedora-autorelabel-mark.service @@ -0,0 +1,15 @@ +[Unit] +Description=Mark the need to relabel after reboot +DefaultDependencies=no +Requires=local-fs.target +Conflicts=shutdown.target +After=local-fs.target +Before=sysinit.target shutdown.target +ConditionSecurity=!selinux +ConditionPathIsDirectory=/etc/selinux +ConditionPathExists=!/.autorelabel + +[Service] +ExecStart=-/bin/touch /.autorelabel +Type=oneshot +RemainAfterExit=yes |