Use generator approach to fix autorelabel.
See: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/CHCEGB2RUPHFCE4FVGIRO3CJYGNS75T7/
This commit is contained in:
Richard W.M. Jones
Petr Lautrbach
parent
971f8c4099
commit
183d121f7f
@ -4,10 +4,12 @@
|
|||||||
%global libselinuxver 2.5-7
|
%global libselinuxver 2.5-7
|
||||||
%global sepolgenver 1.2.3
|
%global sepolgenver 1.2.3
|
||||||
|
|
||||||
|
%global generatorsdir %{_prefix}/lib/systemd/system-generators
|
||||||
|
|
||||||
Summary: SELinux policy core utilities
|
Summary: SELinux policy core utilities
|
||||||
Name: policycoreutils
|
Name: policycoreutils
|
||||||
Version: 2.5
|
Version: 2.5
|
||||||
Release: 13%{?dist}
|
Release: 14%{?dist}
|
||||||
License: GPLv2
|
License: GPLv2
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
# https://github.com/SELinuxProject/selinux/wiki/Releases
|
# https://github.com/SELinuxProject/selinux/wiki/Releases
|
||||||
@ -20,6 +22,8 @@ Source4: sepolicy-icons.tgz
|
|||||||
Source5: selinux-autorelabel
|
Source5: selinux-autorelabel
|
||||||
Source6: selinux-autorelabel.service
|
Source6: selinux-autorelabel.service
|
||||||
Source7: selinux-autorelabel-mark.service
|
Source7: selinux-autorelabel-mark.service
|
||||||
|
Source8: selinux-autorelabel.target
|
||||||
|
Source9: selinux-autorelabel-generator.sh
|
||||||
# download https://raw.githubusercontent.com/fedora-selinux/scripts/master/selinux/make-fedora-selinux-patch.sh
|
# download https://raw.githubusercontent.com/fedora-selinux/scripts/master/selinux/make-fedora-selinux-patch.sh
|
||||||
# run:
|
# run:
|
||||||
# $ VERSION=2.5 ./make-fedora-selinux-patch.sh policycoreutils
|
# $ VERSION=2.5 ./make-fedora-selinux-patch.sh policycoreutils
|
||||||
@ -123,10 +127,12 @@ rm -f %{buildroot}%{_datadir}/system-config-selinux/system-config-selinux.deskto
|
|||||||
|
|
||||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1328825
|
# https://bugzilla.redhat.com/show_bug.cgi?id=1328825
|
||||||
mkdir -m 755 -p %{buildroot}/%{_unitdir}/basic.target.wants/
|
mkdir -m 755 -p %{buildroot}/%{_unitdir}/basic.target.wants/
|
||||||
|
mkdir -m 755 -p %{buildroot}/%{generatorsdir}
|
||||||
install -m 644 -p %{SOURCE6} %{buildroot}/%{_unitdir}/
|
install -m 644 -p %{SOURCE6} %{buildroot}/%{_unitdir}/
|
||||||
install -m 644 -p %{SOURCE7} %{buildroot}/%{_unitdir}/
|
install -m 644 -p %{SOURCE7} %{buildroot}/%{_unitdir}/
|
||||||
|
install -m 644 -p %{SOURCE8} %{buildroot}/%{_unitdir}/
|
||||||
|
install -m 755 -p %{SOURCE9} %{buildroot}/%{generatorsdir}/
|
||||||
install -m 755 -p %{SOURCE5} %{buildroot}/%{_libexecdir}/selinux/
|
install -m 755 -p %{SOURCE5} %{buildroot}/%{_libexecdir}/selinux/
|
||||||
ln -s ../selinux-autorelabel.service %{buildroot}/%{_unitdir}/basic.target.wants/
|
|
||||||
ln -s ../selinux-autorelabel-mark.service %{buildroot}/%{_unitdir}/basic.target.wants/
|
ln -s ../selinux-autorelabel-mark.service %{buildroot}/%{_unitdir}/basic.target.wants/
|
||||||
|
|
||||||
%find_lang %{name}
|
%find_lang %{name}
|
||||||
@ -371,7 +377,8 @@ fi
|
|||||||
%{_unitdir}/selinux-autorelabel-mark.service
|
%{_unitdir}/selinux-autorelabel-mark.service
|
||||||
%{_unitdir}/basic.target.wants/selinux-autorelabel-mark.service
|
%{_unitdir}/basic.target.wants/selinux-autorelabel-mark.service
|
||||||
%{_unitdir}/selinux-autorelabel.service
|
%{_unitdir}/selinux-autorelabel.service
|
||||||
%{_unitdir}/basic.target.wants/selinux-autorelabel.service
|
%{_unitdir}/selinux-autorelabel.target
|
||||||
|
%{generatorsdir}/selinux-autorelabel-generator.sh
|
||||||
%config(noreplace) %{_sysconfdir}/sestatus.conf
|
%config(noreplace) %{_sysconfdir}/sestatus.conf
|
||||||
# selinux-policy Requires: policycoreutils, so we own this set of directories and our files within them
|
# selinux-policy Requires: policycoreutils, so we own this set of directories and our files within them
|
||||||
%{_mandir}/man5/selinux_config.5.gz
|
%{_mandir}/man5/selinux_config.5.gz
|
||||||
@ -427,6 +434,9 @@ The policycoreutils-restorecond package contains the restorecond service.
|
|||||||
%systemd_postun_with_restart restorecond.service
|
%systemd_postun_with_restart restorecond.service
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Jul 20 2016 Petr Lautrbach <plautrba@redhat.com> - 2.5-14
|
||||||
|
- Use generator approach to fix autorelabel
|
||||||
|
|
||||||
* Tue Jul 19 2016 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.5-13
|
* Tue Jul 19 2016 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.5-13
|
||||||
- https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages
|
- https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages
|
||||||
|
|
||||||
|
|||||||
29
selinux-autorelabel-generator.sh
Normal file
29
selinux-autorelabel-generator.sh
Normal file
@ -0,0 +1,29 @@
|
|||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
# This systemd.generator(7) detects if SELinux is running and if the
|
||||||
|
# user requested an autorelabel, and if so sets the default target to
|
||||||
|
# selinux-autorelabel.target, which will cause the filesystem to be
|
||||||
|
# relabelled and then the system will reboot again and boot into the
|
||||||
|
# real default target.
|
||||||
|
|
||||||
|
PATH=/usr/sbin:$PATH
|
||||||
|
unitdir=/usr/lib/systemd/system
|
||||||
|
|
||||||
|
# If invoked with no arguments (for testing) write to /tmp.
|
||||||
|
earlydir="/tmp"
|
||||||
|
if [ -n "$2" ]; then
|
||||||
|
earlydir="$2"
|
||||||
|
fi
|
||||||
|
|
||||||
|
set_target ()
|
||||||
|
{
|
||||||
|
ln -sf "$unitdir/selinux-autorelabel.target" "$earlydir/default.target"
|
||||||
|
}
|
||||||
|
|
||||||
|
if selinuxenabled; then
|
||||||
|
if test -f /.autorelabel; then
|
||||||
|
set_target
|
||||||
|
elif grep -sqE "\bautorelabel\b" /proc/cmdline; then
|
||||||
|
set_target
|
||||||
|
fi
|
||||||
|
fi
|
||||||
@ -1,13 +1,10 @@
|
|||||||
[Unit]
|
[Unit]
|
||||||
Description=Relabel all filesystems, if necessary
|
Description=Relabel all filesystems
|
||||||
DefaultDependencies=no
|
DefaultDependencies=no
|
||||||
Requires=local-fs.target
|
|
||||||
Conflicts=shutdown.target
|
Conflicts=shutdown.target
|
||||||
After=local-fs.target
|
After=sysinit.target
|
||||||
Before=sysinit.target shutdown.target
|
Before=shutdown.target
|
||||||
ConditionSecurity=selinux
|
ConditionSecurity=selinux
|
||||||
ConditionKernelCommandLine=|autorelabel
|
|
||||||
ConditionPathExists=|/.autorelabel
|
|
||||||
|
|
||||||
[Service]
|
[Service]
|
||||||
ExecStart=/usr/libexec/selinux/selinux-autorelabel
|
ExecStart=/usr/libexec/selinux/selinux-autorelabel
|
||||||
|
|||||||
7
selinux-autorelabel.target
Normal file
7
selinux-autorelabel.target
Normal file
@ -0,0 +1,7 @@
|
|||||||
|
[Unit]
|
||||||
|
Description=Relabel all filesystems and reboot
|
||||||
|
DefaultDependencies=no
|
||||||
|
Requires=sysinit.target selinux-autorelabel.service
|
||||||
|
Conflicts=shutdown.target
|
||||||
|
After=sysinit.target selinux-autorelabel.service
|
||||||
|
ConditionSecurity=selinux
|
||||||
Loading…
Reference in New Issue
Block a user