Blame SOURCES/selinux-autorelabel

e65efd
#!/bin/bash
e65efd
#
e65efd
# Do automatic relabelling
e65efd
#
e65efd
e65efd
# . /etc/init.d/functions
e65efd
e65efd
# If the user has this (or similar) UEFI boot order:
e65efd
#
e65efd
#             Windows | grub | Linux
e65efd
#
e65efd
# And decides to boot into grub/Linux, then the reboot at the end of autorelabel
e65efd
# would cause the system to boot into Windows again, if the autorelabel was run.
e65efd
#
e65efd
# This function restores the UEFI boot order, so the user will boot into the
e65efd
# previously set (and expected) partition.
e65efd
efi_set_boot_next() {
e65efd
    # NOTE: The [ -x /usr/sbin/efibootmgr ] test is not sufficent -- it could
e65efd
    #       succeed even on system which is not EFI-enabled...
e65efd
    if ! efibootmgr > /dev/null 2>&1; then
e65efd
        return
e65efd
    fi
e65efd
e65efd
    # NOTE: It it possible that some other services might be setting the
e65efd
    #       'BootNext' item for any reasons, and we shouldn't override it if so.
e65efd
    if ! efibootmgr | grep --quiet -e 'BootNext'; then
e65efd
        CURRENT_BOOT="$(efibootmgr | grep -e 'BootCurrent' | sed -re 's/(^.+:[[:space:]]*)([[:xdigit:]]+)/\2/')"
e65efd
        efibootmgr -n "${CURRENT_BOOT}" > /dev/null 2>&1
e65efd
    fi
e65efd
}
e65efd
e65efd
relabel_selinux() {
e65efd
    # if /sbin/init is not labeled correctly this process is running in the
e65efd
    # wrong context, so a reboot will be required after relabel
e65efd
    AUTORELABEL=
e65efd
    . /etc/selinux/config
e65efd
    echo "0" > /sys/fs/selinux/enforce
e65efd
    [ -x /bin/plymouth ] && plymouth --quit
e65efd
e65efd
    if [ "$AUTORELABEL" = "0" ]; then
e65efd
	echo
e65efd
	echo $"*** Warning -- SELinux ${SELINUXTYPE} policy relabel is required. "
e65efd
	echo $"*** /etc/selinux/config indicates you want to manually fix labeling"
e65efd
	echo $"*** problems. Dropping you to a shell; the system will reboot"
e65efd
	echo $"*** when you leave the shell."
e65efd
	sulogin
e65efd
e65efd
    else
e65efd
	echo
e65efd
	echo $"*** Warning -- SELinux ${SELINUXTYPE} policy relabel is required."
e65efd
	echo $"*** Relabeling could take a very long time, depending on file"
e65efd
	echo $"*** system size and speed of hard drives."
e65efd
1a445b
	OPTS=`cat /.autorelabel`
1a445b
	# by default, use as many threads as there are available
1a445b
	# another -T X in $OPTS will override the default value
1a445b
	OPTS="-T 0 $OPTS"
1a445b
1a445b
	[ -x "/usr/sbin/quotaoff" ] && /usr/sbin/quotaoff -aug
1a445b
	echo
1a445b
	echo $"Running: /sbin/fixfiles $OPTS restore"
1a445b
	/sbin/fixfiles $OPTS restore
e65efd
    fi
e65efd
e65efd
    rm -f  /.autorelabel
e65efd
    /usr/lib/dracut/dracut-initramfs-restore
e65efd
    efi_set_boot_next
e65efd
    if [ -x /usr/bin/grub2-editenv ]; then
e65efd
        grub2-editenv - incr boot_indeterminate >/dev/null 2>&1
e65efd
    fi
e65efd
    sync
1a445b
    systemctl reboot
e65efd
}
e65efd
e65efd
# Check to see if a full relabel is needed
e65efd
if [ "$READONLY" != "yes" ]; then
e65efd
    restorecon $(awk '!/^#/ && $4 !~ /noauto/ && $2 ~ /^\// { print $2 }' /etc/fstab) >/dev/null 2>&1
e65efd
    relabel_selinux
e65efd
fi