|
|
Writing /.autorelabel from fedora-autorelabel does not work because the
script is executed only if relabel was already requested.
Create a new unit fedora-autorelabel-mark.service which will be
responsible for creating /.autorelabel if SELinux is disabled.
The unit takes advantage of the new "ConditionSecurity=" support in
systemd.
The old script checked for a read-only filesystem first. The new unit
does not do that. If / is read-only, touch will simply fail. This should
not be considered as a failure of the unit, so "-" is used in ExecStart.
There have been arguments on systemd-devel that the root directory
should not be abused for flag files like /.autorelabel. It has a long
tradition in Fedora though (since 2005). Maybe we can change it
eventually, but let's keep it where it is for now.
|
