You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
104 lines
2.8 KiB
Bash
104 lines
2.8 KiB
Bash
#!/bin/sh
|
|
### BEGIN INIT INFO
|
|
# Provides: selinux-autorelabel
|
|
# Required-Start: $remote_fs
|
|
# Required-Stop:
|
|
# Default-Start: S
|
|
# Default-Stop:
|
|
# X-Interactive: true
|
|
# Short-Description: Relabel the needed filesystems
|
|
# Description: Relabel /dev and /run to mimic systemd behaviour.
|
|
# Also Relabel all filesystems, if necessary.
|
|
### END INIT INFO
|
|
|
|
# Author: Laurent Bigonville <bigon@debian.org>
|
|
# Based on Red Hat and Erich Schubert work
|
|
|
|
. /lib/lsb/init-functions
|
|
|
|
PATH=/sbin:/usr/sbin:/bin:/usr/bin
|
|
|
|
[ -x /sbin/fixfiles ] || exit 0
|
|
|
|
selinuxenabled=
|
|
if [ -n "/sys/fs/selinux" -a "`cat /proc/self/attr/current 2>/dev/null`" ]; then
|
|
if [ -r /sys/fs/selinux/enforce ]; then
|
|
selinuxenabled=`cat /sys/fs/selinux/enforce 2>/dev/null`
|
|
else
|
|
# we can't read /selinux/enforce, so we assume it's enforced...
|
|
selinuxenabled=1
|
|
fi
|
|
fi
|
|
|
|
relabel_selinux_full() {
|
|
# if /sbin/init is not labeled correctly this process is running in the
|
|
# wrong context, so a reboot will be required after relabel
|
|
AUTORELABEL=
|
|
[ -f /etc/selinux/config ] && . /etc/selinux/config
|
|
echo "0" > /sys/fs/selinux/enforce
|
|
if [ -x /bin/plymouth ] && plymouth --ping; then
|
|
plymouth --hide-splash
|
|
fi
|
|
|
|
if [ "$AUTORELABEL" = "0" ]; then
|
|
echo
|
|
echo "*** Warning -- SELinux ${SELINUXTYPE} policy relabel is required."
|
|
echo "*** /etc/selinux/config indicates you want to manually fix labeling"
|
|
echo "*** problems. Dropping you to a shell; the system will reboot"
|
|
echo "*** when you leave the shell."
|
|
sulogin $CONSOLE
|
|
|
|
else
|
|
echo
|
|
echo "*** Warning -- SELinux ${SELINUXTYPE} policy relabel is required."
|
|
echo "*** Relabeling could take a very long time, depending on file"
|
|
echo "*** system size and speed of hard drives."
|
|
|
|
FORCE=`cat /.autorelabel`
|
|
/sbin/fixfiles $FORCE restore
|
|
fi
|
|
rm -f /.autorelabel
|
|
invoke-rc.d sendsigs stop > /dev/null 2>&1
|
|
sync
|
|
umount -a
|
|
mount -n -o remount,ro /
|
|
reboot -f
|
|
}
|
|
|
|
relabel_selinux_minimal() {
|
|
restorecon -R /dev /run /sys/class/net 2>/dev/null
|
|
restorecon /sys/devices/system/cpu/online 2>/dev/null
|
|
}
|
|
|
|
selinux_relabel() {
|
|
if [ -n "$selinuxenabled" ]; then
|
|
if [ -f /.autorelabel ] || grep -q '\<autorelabel\>' /proc/cmdline ; then
|
|
restorecon $(awk '!/^#/ && $4 !~ /noauto/ && $2 ~ /^\// { print $2 }' /etc/fstab) >/dev/null 2>&1
|
|
relabel_selinux_full
|
|
else
|
|
relabel_selinux_minimal
|
|
fi
|
|
else
|
|
# If SELinux is installed but not enabled, set the autorelabel flag for
|
|
# the next boot...
|
|
if [ -e /etc/selinux -a ! -f /.autorelabel ]; then
|
|
touch /.autorelabel
|
|
fi
|
|
fi
|
|
}
|
|
|
|
case "$1" in
|
|
start|restart|force-reload)
|
|
selinux_relabel
|
|
;;
|
|
stop)
|
|
# No-op
|
|
;;
|
|
*)
|
|
echo "Usage: selinux-autorelabel {start|stop|restart|force-reload}" >&2
|
|
exit 3
|
|
;;
|
|
esac
|
|
|
|
exit 0
|