samwiseetc/init.d/selinux-autorelabel

#!/bin/sh
### BEGIN INIT INFO
# Provides:          selinux-autorelabel
# Required-Start:    $remote_fs
# Required-Stop:
# Default-Start:     S
# Default-Stop:
# X-Interactive:     true
# Short-Description: Relabel the needed filesystems
# Description:       Relabel /dev and /run to mimic systemd behaviour.
#                    Also Relabel all filesystems, if necessary.
### END INIT INFO

# Author: Laurent Bigonville <bigon@debian.org>
# Based on Red Hat and Erich Schubert work

. /lib/lsb/init-functions

PATH=/sbin:/usr/sbin:/bin:/usr/bin

[ -x /sbin/fixfiles ] || exit 0

selinuxenabled=
if [ -n "/sys/fs/selinux" -a "`cat /proc/self/attr/current 2>/dev/null`" ]; then
    if [ -r /sys/fs/selinux/enforce ]; then
	selinuxenabled=`cat /sys/fs/selinux/enforce 2>/dev/null`
    else
	# we can't read /selinux/enforce, so we assume it's enforced...
	selinuxenabled=1
    fi
fi

relabel_selinux_full() {
    # if /sbin/init is not labeled correctly this process is running in the
    # wrong context, so a reboot will be required after relabel
    AUTORELABEL=
    [ -f /etc/selinux/config ] && . /etc/selinux/config
    echo "0" > /sys/fs/selinux/enforce
    if [ -x /bin/plymouth ] && plymouth --ping; then
	plymouth --hide-splash
    fi

    if [ "$AUTORELABEL" = "0" ]; then
	echo
	echo "*** Warning -- SELinux ${SELINUXTYPE} policy relabel is required."
	echo "*** /etc/selinux/config indicates you want to manually fix labeling"
	echo "*** problems. Dropping you to a shell; the system will reboot"
	echo "*** when you leave the shell."
	sulogin $CONSOLE

    else
	echo
	echo "*** Warning -- SELinux ${SELINUXTYPE} policy relabel is required."
	echo "*** Relabeling could take a very long time, depending on file"
	echo "*** system size and speed of hard drives."

	FORCE=`cat /.autorelabel`
	/sbin/fixfiles $FORCE restore
    fi
    rm -f  /.autorelabel
    invoke-rc.d sendsigs stop > /dev/null 2>&1
    sync
    umount -a
    mount -n -o remount,ro /
    reboot -f
}

relabel_selinux_minimal() {
    restorecon -R /dev /run /sys/class/net 2>/dev/null
    restorecon /sys/devices/system/cpu/online 2>/dev/null
}

selinux_relabel() {
    if [ -n "$selinuxenabled" ]; then
	if [ -f /.autorelabel ] || grep -q '\<autorelabel\>' /proc/cmdline ; then
	    restorecon $(awk '!/^#/ && $4 !~ /noauto/ && $2 ~ /^\// { print $2 }' /etc/fstab) >/dev/null 2>&1
	    relabel_selinux_full
	else
	    relabel_selinux_minimal
	fi
    else
	# If SELinux is installed but not enabled, set the autorelabel flag for
	# the next boot...
	if [ -e /etc/selinux -a ! -f /.autorelabel ]; then
	    touch /.autorelabel
	fi
    fi
}

case "$1" in
    start|restart|force-reload)
	selinux_relabel
    ;;
    stop)
	# No-op
    ;;
    *)
	echo "Usage: selinux-autorelabel {start|stop|restart|force-reload}" >&2
	exit 3
    ;;
esac

exit 0
Initial recommit 2 years ago			`#!/bin/sh`
			`### BEGIN INIT INFO`
			`# Provides: selinux-autorelabel`
			`# Required-Start: $remote_fs`
			`# Required-Stop:`
			`# Default-Start: S`
			`# Default-Stop:`
			`# X-Interactive: true`
			`# Short-Description: Relabel the needed filesystems`
			`# Description: Relabel /dev and /run to mimic systemd behaviour.`
			`# Also Relabel all filesystems, if necessary.`
			`### END INIT INFO`

			`# Author: Laurent Bigonville <bigon@debian.org>`
			`# Based on Red Hat and Erich Schubert work`

			`. /lib/lsb/init-functions`

			`PATH=/sbin:/usr/sbin:/bin:/usr/bin`

			`[ -x /sbin/fixfiles ] \|\| exit 0`

			`selinuxenabled=`
			if [ -n "/sys/fs/selinux" -a "`cat /proc/self/attr/current 2>/dev/null`" ]; then
			`if [ -r /sys/fs/selinux/enforce ]; then`
			selinuxenabled=`cat /sys/fs/selinux/enforce 2>/dev/null`
			`else`
			`# we can't read /selinux/enforce, so we assume it's enforced...`
			`selinuxenabled=1`
			`fi`
			`fi`

			`relabel_selinux_full() {`
			`# if /sbin/init is not labeled correctly this process is running in the`
			`# wrong context, so a reboot will be required after relabel`
			`AUTORELABEL=`
			`[ -f /etc/selinux/config ] && . /etc/selinux/config`
			`echo "0" > /sys/fs/selinux/enforce`
			`if [ -x /bin/plymouth ] && plymouth --ping; then`
			`plymouth --hide-splash`
			`fi`

			`if [ "$AUTORELABEL" = "0" ]; then`
			`echo`
			`echo "*** Warning -- SELinux ${SELINUXTYPE} policy relabel is required."`
			`echo "*** /etc/selinux/config indicates you want to manually fix labeling"`
			`echo "*** problems. Dropping you to a shell; the system will reboot"`
			`echo "*** when you leave the shell."`
			`sulogin $CONSOLE`

			`else`
			`echo`
			`echo "*** Warning -- SELinux ${SELINUXTYPE} policy relabel is required."`
			`echo "*** Relabeling could take a very long time, depending on file"`
			`echo "*** system size and speed of hard drives."`

			FORCE=`cat /.autorelabel`
			`/sbin/fixfiles $FORCE restore`
			`fi`
			`rm -f /.autorelabel`
			`invoke-rc.d sendsigs stop > /dev/null 2>&1`
			`sync`
			`umount -a`
			`mount -n -o remount,ro /`
			`reboot -f`
			`}`

			`relabel_selinux_minimal() {`
			`restorecon -R /dev /run /sys/class/net 2>/dev/null`
			`restorecon /sys/devices/system/cpu/online 2>/dev/null`
			`}`

			`selinux_relabel() {`
			`if [ -n "$selinuxenabled" ]; then`
			`if [ -f /.autorelabel ] \|\| grep -q '\<autorelabel\>' /proc/cmdline ; then`
			`restorecon $(awk '!/^#/ && $4 !~ /noauto/ && $2 ~ /^\// { print $2 }' /etc/fstab) >/dev/null 2>&1`
			`relabel_selinux_full`
			`else`
			`relabel_selinux_minimal`
			`fi`
			`else`
			`# If SELinux is installed but not enabled, set the autorelabel flag for`
			`# the next boot...`
			`if [ -e /etc/selinux -a ! -f /.autorelabel ]; then`
			`touch /.autorelabel`
			`fi`
			`fi`
			`}`

			`case "$1" in`
			`start\|restart\|force-reload)`
			`selinux_relabel`
			`;;`
			`stop)`
			`# No-op`
			`;;`
			`*)`
			`echo "Usage: selinux-autorelabel {start\|stop\|restart\|force-reload}" >&2`
			`exit 3`
			`;;`
			`esac`

			`exit 0`