[DSE-Dev] Bug#796693: selinux-basics: Has init script in runlevel S but no matching service file

Michael Biebl biebl at debian.org
Mon Sep 14 12:56:30 UTC 2015 

Am 14.09.2015 um 14:53 schrieb Michael Biebl:
> Hi Russell,
> 
> thanks for contacting us!
> 
> Am 14.09.2015 um 14:46 schrieb Felipe Sateler:
>> I could not find what the fedora people are doing, but they likely
>> already faced this problem, it is probably worth checking what they
>> did.
> 
> A quick grep in a fedora f22 vm shows this:
> 
>> # grep relabel -R /usr/lib/systemd/
>> /usr/lib/systemd/fedora-autorelabel:# Do automatic relabelling
>> /usr/lib/systemd/fedora-autorelabel:relabel_selinux() {
>> /usr/lib/systemd/fedora-autorelabel:    # wrong context, so a reboot will be required after relabel
>> /usr/lib/systemd/fedora-autorelabel:	echo $"*** Warning -- SELinux ${SELINUXTYPE} policy relabel is required. "
>> /usr/lib/systemd/fedora-autorelabel:	echo $"*** Warning -- SELinux ${SELINUXTYPE} policy relabel is required."
>> /usr/lib/systemd/fedora-autorelabel:	FORCE=`cat /.autorelabel`
>> /usr/lib/systemd/fedora-autorelabel:    rm -f  /.autorelabel
>> /usr/lib/systemd/fedora-autorelabel:# Check to see if a full relabel is needed
>> /usr/lib/systemd/fedora-autorelabel:    relabel_selinux
>> /usr/lib/systemd/system/fedora-autorelabel.service:ConditionKernelCommandLine=|autorelabel
>> /usr/lib/systemd/system/fedora-autorelabel.service:ConditionPathExists=|/.autorelabel
>> /usr/lib/systemd/system/fedora-autorelabel.service:ExecStart=/lib/systemd/fedora-autorelabel
>> /usr/lib/systemd/system/basic.target.wants/fedora-autorelabel.service:ConditionKernelCommandLine=|autorelabel
>> /usr/lib/systemd/system/basic.target.wants/fedora-autorelabel.service:ConditionPathExists=|/.autorelabel
>> /usr/lib/systemd/system/basic.target.wants/fedora-autorelabel.service:ExecStart=/lib/systemd/fedora-autorelabel
>> /usr/lib/systemd/system/basic.target.wants/fedora-autorelabel-mark.service:Description=Mark the need to relabel after reboot
>> /usr/lib/systemd/system/basic.target.wants/fedora-autorelabel-mark.service:ConditionPathExists=!/.autorelabel
>> /usr/lib/systemd/system/basic.target.wants/fedora-autorelabel-mark.service:ExecStart=-/bin/touch /.autorelabel
>> /usr/lib/systemd/system/fedora-autorelabel-mark.service:Description=Mark the need to relabel after reboot
>> /usr/lib/systemd/system/fedora-autorelabel-mark.service:ConditionPathExists=!/.autorelabel
>> /usr/lib/systemd/system/fedora-autorelabel-mark.service:ExecStart=-/bin/touch /.autorelabel
> 
> 

Attaching the complete files as well


-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?
-------------- next part --------------
#!/bin/bash
#
# Do automatic relabelling
#

. /etc/init.d/functions

relabel_selinux() {
    # if /sbin/init is not labeled correctly this process is running in the
    # wrong context, so a reboot will be required after relabel
    AUTORELABEL=
    . /etc/selinux/config
    echo "0" > /sys/fs/selinux/enforce
    [ -x /bin/plymouth ] && plymouth --hide-splash

    if [ "$AUTORELABEL" = "0" ]; then
	echo
	echo $"*** Warning -- SELinux ${SELINUXTYPE} policy relabel is required. "
	echo $"*** /etc/selinux/config indicates you want to manually fix labeling"
	echo $"*** problems. Dropping you to a shell; the system will reboot"
	echo $"*** when you leave the shell."
	sulogin

    else
	echo
	echo $"*** Warning -- SELinux ${SELINUXTYPE} policy relabel is required."
	echo $"*** Relabeling could take a very long time, depending on file"
	echo $"*** system size and speed of hard drives."

	FORCE=`cat /.autorelabel`
	/sbin/fixfiles $FORCE restore > /dev/null 2>&1
    fi
    rm -f  /.autorelabel
    systemctl --force reboot
}

# Check to see if a full relabel is needed
if [ "$READONLY" != "yes" ]; then
    restorecon $(awk '!/^#/ && $4 !~ /noauto/ && $2 ~ /^\// { print $2 }' /etc/fstab) >/dev/null 2>&1
    relabel_selinux
fi
-------------- next part --------------
[Unit]
Description=Mark the need to relabel after reboot
DefaultDependencies=no
Requires=local-fs.target
Conflicts=shutdown.target
After=local-fs.target
Before=sysinit.target shutdown.target
ConditionSecurity=!selinux
ConditionPathIsDirectory=/etc/selinux
ConditionPathExists=!/.autorelabel

[Service]
ExecStart=-/bin/touch /.autorelabel
Type=oneshot
RemainAfterExit=yes
-------------- next part --------------
[Unit]
Description=Relabel all filesystems, if necessary
DefaultDependencies=no
Requires=local-fs.target
Conflicts=shutdown.target
After=local-fs.target
Before=sysinit.target shutdown.target
ConditionSecurity=selinux
ConditionKernelCommandLine=|autorelabel
ConditionPathExists=|/.autorelabel

[Service]
ExecStart=/lib/systemd/fedora-autorelabel
Type=oneshot
TimeoutSec=0
RemainAfterExit=yes
StandardInput=tty
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/selinux-devel/attachments/20150914/b81caffb/attachment.sig>

More information about the SELinux-devel mailing list