Am 14.09.2015 um 14:53 schrieb Michael Biebl:
> Hi Russell,
>
> thanks for contacting us!
>
> Am 14.09.2015 um 14:46 schrieb Felipe Sateler:
>> I could not find what the fedora people are doing, but they likely
>> already faced this problem, it is probably worth checking what they
>> did.
>
> A quick grep in a fedora f22 vm shows this:
>
>> # grep relabel -R /usr/lib/systemd/
>> /usr/lib/systemd/fedora-autorelabel:# Do automatic relabelling
>> /usr/lib/systemd/fedora-autorelabel:relabel_selinux() {
>> /usr/lib/systemd/fedora-autorelabel: # wrong context, so a reboot will be
>> required after relabel
>> /usr/lib/systemd/fedora-autorelabel: echo $"*** Warning -- SELinux
>> ${SELINUXTYPE} policy relabel is required. "
>> /usr/lib/systemd/fedora-autorelabel: echo $"*** Warning -- SELinux
>> ${SELINUXTYPE} policy relabel is required."
>> /usr/lib/systemd/fedora-autorelabel: FORCE=`cat /.autorelabel`
>> /usr/lib/systemd/fedora-autorelabel: rm -f /.autorelabel
>> /usr/lib/systemd/fedora-autorelabel:# Check to see if a full relabel is
>> needed
>> /usr/lib/systemd/fedora-autorelabel: relabel_selinux
>> /usr/lib/systemd/system/fedora-autorelabel.service:ConditionKernelCommandLine=|autorelabel
>> /usr/lib/systemd/system/fedora-autorelabel.service:ConditionPathExists=|/.autorelabel
>> /usr/lib/systemd/system/fedora-autorelabel.service:ExecStart=/lib/systemd/fedora-autorelabel
>> /usr/lib/systemd/system/basic.target.wants/fedora-autorelabel.service:ConditionKernelCommandLine=|autorelabel
>> /usr/lib/systemd/system/basic.target.wants/fedora-autorelabel.service:ConditionPathExists=|/.autorelabel
>> /usr/lib/systemd/system/basic.target.wants/fedora-autorelabel.service:ExecStart=/lib/systemd/fedora-autorelabel
>> /usr/lib/systemd/system/basic.target.wants/fedora-autorelabel-mark.service:Description=Mark
>> the need to relabel after reboot
>> /usr/lib/systemd/system/basic.target.wants/fedora-autorelabel-mark.service:ConditionPathExists=!/.autorelabel
>> /usr/lib/systemd/system/basic.target.wants/fedora-autorelabel-mark.service:ExecStart=-/bin/touch
>> /.autorelabel
>> /usr/lib/systemd/system/fedora-autorelabel-mark.service:Description=Mark the
>> need to relabel after reboot
>> /usr/lib/systemd/system/fedora-autorelabel-mark.service:ConditionPathExists=!/.autorelabel
>> /usr/lib/systemd/system/fedora-autorelabel-mark.service:ExecStart=-/bin/touch
>> /.autorelabel
>
> Attaching the complete files as well -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth?
#!/bin/bash
#
# Do automatic relabelling
#
. /etc/init.d/functions
relabel_selinux() {
# if /sbin/init is not labeled correctly this process is running in the
# wrong context, so a reboot will be required after relabel
AUTORELABEL=
. /etc/selinux/config
echo "0" > /sys/fs/selinux/enforce
[ -x /bin/plymouth ] && plymouth --hide-splash
if [ "$AUTORELABEL" = "0" ]; then
echo
echo $"*** Warning -- SELinux ${SELINUXTYPE} policy relabel is
required. "
echo $"*** /etc/selinux/config indicates you want to manually fix
labeling"
echo $"*** problems. Dropping you to a shell; the system will reboot"
echo $"*** when you leave the shell."
sulogin
else
echo
echo $"*** Warning -- SELinux ${SELINUXTYPE} policy relabel is
required."
echo $"*** Relabeling could take a very long time, depending on file"
echo $"*** system size and speed of hard drives."
FORCE=`cat /.autorelabel`
/sbin/fixfiles $FORCE restore > /dev/null 2>&1
fi
rm -f /.autorelabel
systemctl --force reboot
}
# Check to see if a full relabel is needed
if [ "$READONLY" != "yes" ]; then
restorecon $(awk '!/^#/ && $4 !~ /noauto/ && $2 ~ /^\// { print $2 }'
/etc/fstab) >/dev/null 2>&1
relabel_selinux
fi
[Unit] Description=Mark the need to relabel after reboot DefaultDependencies=no Requires=local-fs.target Conflicts=shutdown.target After=local-fs.target Before=sysinit.target shutdown.target ConditionSecurity=!selinux ConditionPathIsDirectory=/etc/selinux ConditionPathExists=!/.autorelabel [Service] ExecStart=-/bin/touch /.autorelabel Type=oneshot RemainAfterExit=yes
[Unit] Description=Relabel all filesystems, if necessary DefaultDependencies=no Requires=local-fs.target Conflicts=shutdown.target After=local-fs.target Before=sysinit.target shutdown.target ConditionSecurity=selinux ConditionKernelCommandLine=|autorelabel ConditionPathExists=|/.autorelabel [Service] ExecStart=/lib/systemd/fedora-autorelabel Type=oneshot TimeoutSec=0 RemainAfterExit=yes StandardInput=tty
signature.asc
Description: OpenPGP digital signature
_______________________________________________ SELinux-devel mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/selinux-devel
