Use generator approach to fix autorelabel.

See: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/CHCEGB2RUPHFCE4FVGIRO3CJYGNS75T7/
2016-07-20 22:26:10 +02:00 · 2016-07-20 22:26:10 +02:00 · 183d121f7f
parent 971f8c4099
commit 183d121f7f
4 changed files with 52 additions and 9 deletions
--- a/policycoreutils.spec
+++ b/policycoreutils.spec
@ -4,10 +4,12 @@
 %global	libselinuxver	2.5-7
 %global	sepolgenver	1.2.3

+%global generatorsdir %{_prefix}/lib/systemd/system-generators
+
 Summary: SELinux policy core utilities
 Name:	 policycoreutils
 Version: 2.5
-Release: 13%{?dist}
+Release: 14%{?dist}
 License: GPLv2
 Group:	 System Environment/Base
 # https://github.com/SELinuxProject/selinux/wiki/Releases
@ -20,6 +22,8 @@ Source4: sepolicy-icons.tgz
 Source5: selinux-autorelabel
 Source6: selinux-autorelabel.service
 Source7: selinux-autorelabel-mark.service
+Source8: selinux-autorelabel.target
+Source9: selinux-autorelabel-generator.sh
 # download https://raw.githubusercontent.com/fedora-selinux/scripts/master/selinux/make-fedora-selinux-patch.sh
 # run:
 # $ VERSION=2.5 ./make-fedora-selinux-patch.sh policycoreutils
@ -123,10 +127,12 @@ rm -f %{buildroot}%{_datadir}/system-config-selinux/system-config-selinux.deskto

 # https://bugzilla.redhat.com/show_bug.cgi?id=1328825
 mkdir   -m 755 -p %{buildroot}/%{_unitdir}/basic.target.wants/
+mkdir   -m 755 -p %{buildroot}/%{generatorsdir}
 install -m 644 -p %{SOURCE6} %{buildroot}/%{_unitdir}/
 install -m 644 -p %{SOURCE7} %{buildroot}/%{_unitdir}/
+install -m 644 -p %{SOURCE8} %{buildroot}/%{_unitdir}/
+install -m 755 -p %{SOURCE9} %{buildroot}/%{generatorsdir}/
 install -m 755 -p %{SOURCE5} %{buildroot}/%{_libexecdir}/selinux/
-ln -s ../selinux-autorelabel.service %{buildroot}/%{_unitdir}/basic.target.wants/
 ln -s ../selinux-autorelabel-mark.service %{buildroot}/%{_unitdir}/basic.target.wants/

 %find_lang %{name}
@ -371,7 +377,8 @@ fi
 %{_unitdir}/selinux-autorelabel-mark.service
 %{_unitdir}/basic.target.wants/selinux-autorelabel-mark.service
 %{_unitdir}/selinux-autorelabel.service
-%{_unitdir}/basic.target.wants/selinux-autorelabel.service
+%{_unitdir}/selinux-autorelabel.target
+%{generatorsdir}/selinux-autorelabel-generator.sh
 %config(noreplace) %{_sysconfdir}/sestatus.conf
 # selinux-policy Requires: policycoreutils, so we own this set of directories and our files within them
 %{_mandir}/man5/selinux_config.5.gz
@ -427,6 +434,9 @@ The policycoreutils-restorecond package contains the restorecond service.
 %systemd_postun_with_restart restorecond.service

 %changelog
+* Wed Jul 20 2016 Petr Lautrbach <plautrba@redhat.com> - 2.5-14
+- Use generator approach to fix autorelabel
+
 * Tue Jul 19 2016 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.5-13
 - https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages

--- a/selinux-autorelabel-generator.sh
+++ b/selinux-autorelabel-generator.sh
@ -0,0 +1,29 @@
+#!/bin/sh
+
+# This systemd.generator(7) detects if SELinux is running and if the
+# user requested an autorelabel, and if so sets the default target to
+# selinux-autorelabel.target, which will cause the filesystem to be
+# relabelled and then the system will reboot again and boot into the
+# real default target.
+
+PATH=/usr/sbin:$PATH
+unitdir=/usr/lib/systemd/system
+
+# If invoked with no arguments (for testing) write to /tmp.
+earlydir="/tmp"
+if [ -n "$2" ]; then
+    earlydir="$2"
+fi
+
+set_target ()
+{
+    ln -sf "$unitdir/selinux-autorelabel.target" "$earlydir/default.target"
+}
+
+if selinuxenabled; then
+    if test -f /.autorelabel; then
+        set_target
+    elif grep -sqE "\bautorelabel\b" /proc/cmdline; then
+        set_target
+    fi
+fi
--- a/selinux-autorelabel.service
+++ b/selinux-autorelabel.service
@ -1,13 +1,10 @@
 [Unit]
-Description=Relabel all filesystems, if necessary
+Description=Relabel all filesystems
 DefaultDependencies=no
-Requires=local-fs.target
 Conflicts=shutdown.target
-After=local-fs.target
-Before=sysinit.target shutdown.target
+After=sysinit.target
+Before=shutdown.target
 ConditionSecurity=selinux
-ConditionKernelCommandLine=|autorelabel
-ConditionPathExists=|/.autorelabel

 [Service]
 ExecStart=/usr/libexec/selinux/selinux-autorelabel
--- a/selinux-autorelabel.target
+++ b/selinux-autorelabel.target
@ -0,0 +1,7 @@
+[Unit]
+Description=Relabel all filesystems and reboot
+DefaultDependencies=no
+Requires=sysinit.target selinux-autorelabel.service
+Conflicts=shutdown.target
+After=sysinit.target selinux-autorelabel.service
+ConditionSecurity=selinux