For the new grub auto-hide feature:
https://fedoraproject.org/wiki/Changes/HiddenGrubMenu
Grub needs to know if the previous boot succeeded. This is tracked
through flags in the grub environment.
A selinux autorelabel is special, because it reboots the machine without
completing the boot in the normal manner.
grub checks the (new) boot_indeterminate grub environment variable to deal
with this. This is a variable containing a count of special boots since
the last successful normal boot. If this variable is 1 then it also treats
the previous boot as successful. The idea is that an autorelabel (or
offline updates) increments boot_indeterminate, so normally after a reboot
it will be 1 and the grub menu stays hidden. But if we end up in a selinux
autorelabel loop for some reason, then it will be bigger then 1 (*) and
the grub menu will be shown allowing the user to try and fix things.
*) grub itself will also increment it if it is 1 so that even if it gets
incremented only once, that still only makes 1 boot count as successful.
This commit makes the selinux-autorelabel script call:
grub2-editenv - incr boot_indeterminate
for proper integration with this new grub feature.
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
plymouth by defaults waits for 5 seconds before showing the splash so
that the splash simply gets skipped on real quick boots.
In my testing it seems that --hide-splash is a no-op when run before
the 5 seconds have passed and the splash is shown, causing the splash
to still be there during a relabel. Note this problem only shows when
*not* using disk-encryption.
Switching to plymouth --quit fixes this.
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
This can be useful when user has this UEFI boot order e.g.:
Windows | grub | Linux
And decides to boot into grub/Linux. In case the autorelabel service
is being run after the boot into grub, then the reboot after the
autorelabel is done will cause user to boot into Windows again...
This change should make the behaviour more intuitive for the user.
Signed-off-by: David Kaspar [Dee'Kej] <dkaspar@redhat.com>
- sepolicy: Fix translated strings with parameters
- sepolicy: Support non-MLS policy
- sepolicy: Initialize policy.ports as a dict in generate.py
- gui/polgengui.py: Use stop_emission_by_name instead of emit_stop_by_name
- Minor update for bash completion
- semodule_package: fix semodule_unpackage man page
- gui/semanagePage: Close "edit" and "add" dialogues when successfull
- gui/fcontextPage: Set default object class in addDialog\
- sepolgen: fix typo in PolicyGenerator
- build: follow standard semantics for DESTDIR and PREFIX
- use pathfix.py instead of sed
- clean up '*~' files
Fixes:
policycoreutils has broken dependencies in the rawhide tree:
On i386:
python2-policycoreutils-2.7-11.fc28.i686 requires /usr/bin/python22
On armhfp:
python2-policycoreutils-2.7-11.fc28.armv7hl requires /usr/bin/python22
- gui/polgengui.py: Fix sepolicy.generate import in polgengui.py
- gui/polgengui.py: Convert polgen.glade to Builder format polgen.ui
- python/sepolicy: Use list instead of map
- python/sepolicy: Do not use types.BooleanType
The playbook includes Tier1 level test cases that have been tested in
the following contexts and is passing reliably on Classic.
Test logs are stored in the Artifacts directory.
The following steps are used to execute the tests using the standard test interface:
Classic
sudo ANSIBLE_INVENTORY=$(test -e inventory && echo inventory || echo /usr/share/ansible/inventory) TEST_SUBJECTS="" TEST_ARTIFACTS=$PWD/artifacts ansible-playbook --tags classic tests.yml
It's based on
https://src.fedoraproject.org/rpms/policycoreutils/pull-request/1 from Merlin Mathesius <merlinm@redhat.com>
Known issues:
policycoreutils.spec: W: invalid-url Source14: sepolicy-icons.tgz
The value should be a valid, public HTTP, HTTPS, or FTP URL.
policycoreutils.spec: W: invalid-url Source12:
policycoreutils_man_ru2.tar.bz2
The value should be a valid, public HTTP, HTTPS, or FTP URL.
- sepolicy: Fix sepolicy manpage
- semanage: Update Infiniband code to work on python3
- semanage: Fix export of ibendport entries
- semanage: Enforce noreload only if it's requested by -N option