Hi Russell, On 14 September 2015 at 06:29, Russell Coker <russ...@coker.com.au> wrote: > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=796693 > > What do you suggest that we do in regard to this bug? The problem we have is > that this isn't like your typical service script (most of which start daemons > etc). It has more in common with a fsck than any other operation on a non-SE > system. > > For correct operation the script has to relabel all files (if requested) and > then reboot afterwards. It should run before any daemons are started as such > daemons might run with the wrong security context which could prevent them > from performing their normal functions and/or allow them to access sensitive > data.
The init script in question is this one[1]. It can be seen there that it performs either a minimal or a full relabel, depending on either a file (/.autorelabel) or a kernel command line argument. I would suggest to create two distinct units. One for the minimal relabeling that happens at every boot (With proper ConditionSecurity and any other checks it might need). This unit should probably happen as early as possible, and order itself Before=local-fs.target, and have RequireMountsFor=/dev. For the second unit, I would suggest mimicking the approach of the system update specification[2]. Create a generator that if the kernel command line or the relabel file exist, point default.target to selinux-full-relabel.target in the early directory. This target then only includes the full relabel unit, which removes the trigger file and reboots. This unit does not need DefaultDependencies=no, and should probably be Type=simple so that systemd considers the boot complete as soon as the command starts (and thus does not lockup when triggering a reboot). I could not find what the fedora people are doing, but they likely already faced this problem, it is probably worth checking what they did. [1] http://sources.debian.net/src/selinux-basics/0.5.2/debian/selinux-basics.init/ [2] http://freedesktop.org/wiki/Software/systemd/SystemUpdates/ -- Saludos, Felipe Sateler _______________________________________________ Pkg-systemd-maintainers mailing list Pkg-systemd-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-systemd-maintainers
