From 3bbe617cee6cc44e43f1d2a5c499524fb6cba317 Mon Sep 17 00:00:00 2001 From: Hans de Goede Date: Mon, 18 Jun 2018 09:37:59 +0200 Subject: [PATCH] selinux-autorelabel: Increment boot_indeterminate grub environment variable For the new grub auto-hide feature: https://fedoraproject.org/wiki/Changes/HiddenGrubMenu Grub needs to know if the previous boot succeeded. This is tracked through flags in the grub environment. A selinux autorelabel is special, because it reboots the machine without completing the boot in the normal manner. grub checks the (new) boot_indeterminate grub environment variable to deal with this. This is a variable containing a count of special boots since the last successful normal boot. If this variable is 1 then it also treats the previous boot as successful. The idea is that an autorelabel (or offline updates) increments boot_indeterminate, so normally after a reboot it will be 1 and the grub menu stays hidden. But if we end up in a selinux autorelabel loop for some reason, then it will be bigger then 1 (*) and the grub menu will be shown allowing the user to try and fix things. *) grub itself will also increment it if it is 1 so that even if it gets incremented only once, that still only makes 1 boot count as successful. This commit makes the selinux-autorelabel script call: grub2-editenv - incr boot_indeterminate for proper integration with this new grub feature. Signed-off-by: Hans de Goede --- selinux-autorelabel | 3 +++ 1 file changed, 3 insertions(+) diff --git a/selinux-autorelabel b/selinux-autorelabel index b17bd8d..22c2143 100755 --- a/selinux-autorelabel +++ b/selinux-autorelabel @@ -59,6 +59,9 @@ relabel_selinux() { rm -f /.autorelabel /usr/lib/dracut/dracut-initramfs-restore efi_set_boot_next + if [ -x /usr/bin/grub2-editenv ]; then + grub2-editenv - incr boot_indeterminate >/dev/null 2>&1 + fi sync systemctl --force reboot }