diff --git a/policycoreutils.spec b/policycoreutils.spec index 57df362..ee55eb1 100644 --- a/policycoreutils.spec +++ b/policycoreutils.spec @@ -17,6 +17,9 @@ URL: http://www.selinuxproject.org Source2: policycoreutils_man_ru2.tar.bz2 Source3: system-config-selinux.png Source4: sepolicy-icons.tgz +Source5: selinux-autorelabel +Source6: selinux-autorelabel.service +Source7: selinux-autorelabel-mark.service # download https://raw.githubusercontent.com/fedora-selinux/scripts/master/selinux/make-fedora-selinux-patch.sh # run: # $ VERSION=2.5 ./make-fedora-selinux-patch.sh policycoreutils @@ -27,12 +30,14 @@ Patch1: sepolgen-fedora.patch Patch100: policycoreutils-fix-semanage-python3.patch Obsoletes: policycoreutils < 2.0.61-2 Conflicts: filesystem < 3, selinux-policy-base < 3.13.1-138 +Conflicts: initscripts < 9.66 Provides: /sbin/fixfiles Provides: /sbin/restorecon BuildRequires: pam-devel libcgroup-devel libsepol-static >= %{libsepolver} libsemanage-static >= %{libsemanagever} libselinux-devel >= %{libselinuxver} libcap-devel audit-libs-devel >= %{libauditver} gettext BuildRequires: desktop-file-utils dbus-devel dbus-glib-devel BuildRequires: python python-devel python3 python3-devel setools-devel >= 3.3.8-10 +BuildRequires: systemd Requires: util-linux grep gawk diffutils rpm sed Requires: libsepol >= %{libsepolver} coreutils libselinux-utils >= %{libselinuxver} @@ -115,6 +120,14 @@ rm -f %{buildroot}%{_datadir}/system-config-selinux/selinux-polgengui.desktop rm -f %{buildroot}%{_datadir}/system-config-selinux/sepolicy.desktop rm -f %{buildroot}%{_datadir}/system-config-selinux/system-config-selinux.desktop +# https://bugzilla.redhat.com/show_bug.cgi?id=1328825 +mkdir -m 755 -p %{buildroot}/%{_unitdir}/basic.target.wants/ +install -m 644 -p %{SOURCE6} %{buildroot}/%{_unitdir}/ +install -m 644 -p %{SOURCE7} %{buildroot}/%{_unitdir}/ +install -m 755 -p %{SOURCE5} %{buildroot}/%{_libexecdir}/selinux/ +ln -s ../selinux-autorelabel.service %{buildroot}/%{_unitdir}/basic.target.wants/ +ln -s ../selinux-autorelabel-mark.service %{buildroot}/%{_unitdir}/basic.target.wants/ + %find_lang %{name} %package python-utils @@ -353,6 +366,11 @@ fi %{_sbindir}/sestatus %{_bindir}/secon %{_libexecdir}/selinux/hll +%{_libexecdir}/selinux/selinux-autorelabel +%{_unitdir}/selinux-autorelabel-mark.service +%{_unitdir}/basic.target.wants/selinux-autorelabel-mark.service +%{_unitdir}/selinux-autorelabel.service +%{_unitdir}/basic.target.wants/selinux-autorelabel.service %config(noreplace) %{_sysconfdir}/sestatus.conf # selinux-policy Requires: policycoreutils, so we own this set of directories and our files within them %{_mandir}/man5/selinux_config.5.gz diff --git a/selinux-autorelabel b/selinux-autorelabel new file mode 100755 index 0000000..ad92022 --- /dev/null +++ b/selinux-autorelabel @@ -0,0 +1,43 @@ +#!/bin/bash +# +# Do automatic relabelling +# + +# . /etc/init.d/functions + +relabel_selinux() { + # if /sbin/init is not labeled correctly this process is running in the + # wrong context, so a reboot will be required after relabel + AUTORELABEL= + . /etc/selinux/config + echo "0" > /sys/fs/selinux/enforce + [ -x /bin/plymouth ] && plymouth --hide-splash + + if [ "$AUTORELABEL" = "0" ]; then + echo + echo $"*** Warning -- SELinux ${SELINUXTYPE} policy relabel is required. " + echo $"*** /etc/selinux/config indicates you want to manually fix labeling" + echo $"*** problems. Dropping you to a shell; the system will reboot" + echo $"*** when you leave the shell." + sulogin + + else + echo + echo $"*** Warning -- SELinux ${SELINUXTYPE} policy relabel is required." + echo $"*** Relabeling could take a very long time, depending on file" + echo $"*** system size and speed of hard drives." + + FORCE=`cat /.autorelabel` + [ -x "/usr/sbin/quotaoff" ] && /usr/sbin/quotaoff -aug + /sbin/fixfiles $FORCE restore > /dev/null 2>&1 + fi + rm -f /.autorelabel + /usr/lib/dracut/dracut-initramfs-restore + systemctl --force reboot +} + +# Check to see if a full relabel is needed +if [ "$READONLY" != "yes" ]; then + restorecon $(awk '!/^#/ && $4 !~ /noauto/ && $2 ~ /^\// { print $2 }' /etc/fstab) >/dev/null 2>&1 + relabel_selinux +fi diff --git a/selinux-autorelabel-mark.service b/selinux-autorelabel-mark.service new file mode 100644 index 0000000..33b5147 --- /dev/null +++ b/selinux-autorelabel-mark.service @@ -0,0 +1,15 @@ +[Unit] +Description=Mark the need to relabel after reboot +DefaultDependencies=no +Requires=local-fs.target +Conflicts=shutdown.target +After=local-fs.target +Before=sysinit.target shutdown.target +ConditionSecurity=!selinux +ConditionPathIsDirectory=/etc/selinux +ConditionPathExists=!/.autorelabel + +[Service] +ExecStart=-/bin/touch /.autorelabel +Type=oneshot +RemainAfterExit=yes diff --git a/selinux-autorelabel.service b/selinux-autorelabel.service new file mode 100644 index 0000000..a6cc332 --- /dev/null +++ b/selinux-autorelabel.service @@ -0,0 +1,17 @@ +[Unit] +Description=Relabel all filesystems, if necessary +DefaultDependencies=no +Requires=local-fs.target +Conflicts=shutdown.target +After=local-fs.target +Before=sysinit.target shutdown.target +ConditionSecurity=selinux +ConditionKernelCommandLine=|autorelabel +ConditionPathExists=|/.autorelabel + +[Service] +ExecStart=/usr/libexec/selinux/selinux-autorelabel +Type=oneshot +TimeoutSec=0 +RemainAfterExit=yes +StandardInput=tty