From d88e9d09a6570fe729735740a966ed758ff81141 Mon Sep 17 00:00:00 2001 From: Michal Schmidt Date: Mon, 4 Apr 2011 09:57:08 +0200 Subject: separate "touch /.autorelabel" to a new unit Writing /.autorelabel from fedora-autorelabel does not work because the script is executed only if relabel was already requested. Create a new unit fedora-autorelabel-mark.service which will be responsible for creating /.autorelabel if SELinux is disabled. The unit takes advantage of the new "ConditionSecurity=" support in systemd. The old script checked for a read-only filesystem first. The new unit does not do that. If / is read-only, touch will simply fail. This should not be considered as a failure of the unit, so "-" is used in ExecStart. There have been arguments on systemd-devel that the root directory should not be abused for flag files like /.autorelabel. It has a long tradition in Fedora though (since 2005). Maybe we can change it eventually, but let's keep it where it is for now. --- Makefile | 1 + systemd/fedora-autorelabel | 4 ---- systemd/system/fedora-autorelabel-mark.service | 15 +++++++++++++++ 3 files changed, 16 insertions(+), 4 deletions(-) create mode 100644 systemd/system/fedora-autorelabel-mark.service diff --git a/Makefile b/Makefile index a788e0ae..39dd84e2 100644 --- a/Makefile +++ b/Makefile @@ -126,6 +126,7 @@ install: ln -s ../fedora-loadmodules.service $(ROOT)/lib/systemd/system/basic.target.wants ln -s ../fedora-autoswap.service $(ROOT)/lib/systemd/system/basic.target.wants ln -s ../fedora-autorelabel.service $(ROOT)/lib/systemd/system/basic.target.wants + ln -s ../fedora-autorelabel-mark.service $(ROOT)/lib/systemd/system/basic.target.wants ln -s ../fedora-sysinit-hack.service $(ROOT)/lib/systemd/system/basic.target.wants ln -s ../fedora-readonly.service $(ROOT)/lib/systemd/system/local-fs.target.wants ln -s ../fedora-storage-init.service $(ROOT)/lib/systemd/system/local-fs.target.wants diff --git a/systemd/fedora-autorelabel b/systemd/fedora-autorelabel index 204c5761..dad7a91f 100755 --- a/systemd/fedora-autorelabel +++ b/systemd/fedora-autorelabel @@ -37,8 +37,4 @@ relabel_selinux() { if [ "$READONLY" != "yes" ]; then restorecon $(awk '!/^#/ && $4 !~ /noauto/ && $2 ~ /^\// { print $2 }' /etc/fstab) >/dev/null 2>&1 relabel_selinux -else - if [ "$READONLY" != "yes" ] && [ -d /etc/selinux ]; then - [ -f /.autorelabel ] || touch /.autorelabel - fi fi diff --git a/systemd/system/fedora-autorelabel-mark.service b/systemd/system/fedora-autorelabel-mark.service new file mode 100644 index 00000000..33b5147b --- /dev/null +++ b/systemd/system/fedora-autorelabel-mark.service @@ -0,0 +1,15 @@ +[Unit] +Description=Mark the need to relabel after reboot +DefaultDependencies=no +Requires=local-fs.target +Conflicts=shutdown.target +After=local-fs.target +Before=sysinit.target shutdown.target +ConditionSecurity=!selinux +ConditionPathIsDirectory=/etc/selinux +ConditionPathExists=!/.autorelabel + +[Service] +ExecStart=-/bin/touch /.autorelabel +Type=oneshot +RemainAfterExit=yes -- cgit v1.2.1