selinux-autorelabel: Increment boot_indeterminate grub environment variable

For the new grub auto-hide feature:
https://fedoraproject.org/wiki/Changes/HiddenGrubMenu

Grub needs to know if the previous boot succeeded. This is tracked
through flags in the grub environment.

A selinux autorelabel is special, because it reboots the machine without
completing the boot in the normal manner.

grub checks the (new) boot_indeterminate grub environment variable to deal
with this. This is a variable containing a count of special boots since
the last successful normal boot. If this variable is 1 then it also treats
the previous boot as successful. The idea is that an autorelabel (or
offline updates) increments boot_indeterminate, so normally after a reboot
it will be 1 and the grub menu stays hidden. But if we end up in a selinux
autorelabel loop for some reason, then it will be bigger then 1 (*) and
the grub menu will be shown allowing the user to try and fix things.

*) grub itself will also increment it if it is 1 so that even if it gets
incremented only once, that still only makes 1 boot count as successful.

This commit makes the selinux-autorelabel script call:
grub2-editenv - incr boot_indeterminate
for proper integration with this new grub feature.

Signed-off-by: Hans de Goede <hdegoede@redhat.com>
This commit is contained in:
Hans de Goede 2018-06-18 09:37:59 +02:00 committed by Petr Lautrbach
parent a16e7bc7bb
commit 3bbe617cee

View File

@ -59,6 +59,9 @@ relabel_selinux() {
rm -f /.autorelabel rm -f /.autorelabel
/usr/lib/dracut/dracut-initramfs-restore /usr/lib/dracut/dracut-initramfs-restore
efi_set_boot_next efi_set_boot_next
if [ -x /usr/bin/grub2-editenv ]; then
grub2-editenv - incr boot_indeterminate >/dev/null 2>&1
fi
sync sync
systemctl --force reboot systemctl --force reboot
} }