diff options
| -rw-r--r-- | Makefile | 1 | ||||
| -rwxr-xr-x | systemd/fedora-autorelabel | 84 | ||||
| -rw-r--r-- | systemd/system/fedora-autorelabel.service | 14 |
3 files changed, 99 insertions, 0 deletions
@@ -128,6 +128,7 @@ install: ln -s ../fedora-configure.service $(ROOT)/lib/systemd/system/basic.target.wants ln -s ../fedora-loadmodules.service $(ROOT)/lib/systemd/system/basic.target.wants ln -s ../fedora-autoswap.service $(ROOT)/lib/systemd/system/basic.target.wants + ln -s ../fedora-autorelabel.service $(ROOT)/lib/systemd/system/basic.target.wants ln -s ../fedora-sysinit-hack.service $(ROOT)/lib/systemd/system/basic.target.wants ln -s ../fedora-readonly.service $(ROOT)/lib/systemd/system/local-fs.target.wants ln -s ../fedora-storage-init.service $(ROOT)/lib/systemd/system/local-fs.target.wants diff --git a/systemd/fedora-autorelabel b/systemd/fedora-autorelabel new file mode 100755 index 00000000..9144d59e --- /dev/null +++ b/systemd/fedora-autorelabel @@ -0,0 +1,84 @@ +#!/bin/bash +# +# fsck, mount, set quotas, and relabel filesystems. +# + +. /etc/init.d/functions + +PLYMOUTH= +[ -x /usr/bin/plymouth ] && PLYMOUTH=yes + +# Check SELinux status +SELINUX_STATE= +if [ -e "/selinux/enforce" ] && [ "$(cat /proc/self/attr/current)" != "kernel" ]; then + if [ -r "/selinux/enforce" ] ; then + SELINUX_STATE=$(cat "/selinux/enforce") + else + # assume enforcing if you can't read it + SELINUX_STATE=1 + fi +fi + +disable_selinux() { + echo $"*** Warning -- SELinux is active" + echo $"*** Disabling security enforcement for system recovery." + echo $"*** Run 'setenforce 1' to reenable." + echo "0" > "/selinux/enforce" +} + +relabel_selinux() { + # if /sbin/init is not labeled correctly this process is running in the + # wrong context, so a reboot will be required after relabel + AUTORELABEL= + . /etc/selinux/config + echo "0" > /selinux/enforce + [ -n "$PLYMOUTH" ] && plymouth --hide-splash + + if [ "$AUTORELABEL" = "0" ]; then + echo + echo $"*** Warning -- SELinux ${SELINUXTYPE} policy relabel is required. " + echo $"*** /etc/selinux/config indicates you want to manually fix labeling" + echo $"*** problems. Dropping you to a shell; the system will reboot" + echo $"*** when you leave the shell." + sulogin + + else + echo + echo $"*** Warning -- SELinux ${SELINUXTYPE} policy relabel is required." + echo $"*** Relabeling could take a very long time, depending on file" + echo $"*** system size and speed of hard drives." + + /sbin/fixfiles -F restore > /dev/null 2>&1 + fi + rm -f /.autorelabel + echo $"Unmounting file systems" + umount -a + mount -n -o remount,ro / + echo $"Automatic reboot in progress." + reboot -f +} + +[ -z "${cmdline}" ] && cmdline=$(cat /proc/cmdline) + +# Clean up SELinux labels +if [ -n "$SELINUX_STATE" ]; then + restorecon /etc/mtab /etc/ld.so.cache /etc/blkid/blkid.tab /etc/resolv.conf >/dev/null 2>&1 +fi + +# If relabeling, relabel mount points. +if [ -n "$SELINUX_STATE" -a "$READONLY" != "yes" ]; then + if strstr "$cmdline" autorelabel || [ -f /.autorelabel ] ; then + restorecon $(awk '!/^#/ && $4 !~ /noauto/ && $2 ~ /^\// { print $2 }' /etc/fstab) >/dev/null 2>&1 + fi +fi + +# Check to see if a full relabel is needed +if [ -n "$SELINUX_STATE" -a "$READONLY" != "yes" ]; then + if strstr "$cmdline" autorelabel || [ -f /.autorelabel ] ; then + relabel_selinux + fi +else + if [ "$READONLY" != "yes" ] && [ -d /etc/selinux ]; then + [ -f /.autorelabel ] || touch /.autorelabel + fi +fi diff --git a/systemd/system/fedora-autorelabel.service b/systemd/system/fedora-autorelabel.service new file mode 100644 index 00000000..bca3f956 --- /dev/null +++ b/systemd/system/fedora-autorelabel.service @@ -0,0 +1,14 @@ +[Unit] +Description=Relabel all filesystems, if necessary +DefaultDependencies=no +Conflicts=shutdown.target +Before=shutdown.target emergency.service emergency.target +After=local-fs.target +Requires=remount-rootfs.service local-fs.target + +[Service] +ExecStart=/lib/systemd/fedora-autorelabel +Type=oneshot +TimeoutSec=0 +RemainAfterExit=yes +StandardInput=tty |