When the system is rebooted with SELinux enabled after being disabled
temporarily, automatic relabeling is supposed to happen. This is currently
broken in Fedora 15.
/etc/rc.sysinit used to do that by touching /.autorelabel when SELinux was
disabled. The code still exists in fedora-autorelabel, but it is not executed
when needed, because of the conditions the unit has. We could fix it by
dropping the conditions from fedora-autorelabel.service, but that would make the
unit more expensive. It's better to add a new unit that will create
/.autorelabel as needed based on the SELinux state of the system.
To do that we need to add ConditionSELinux.
The new unit will have something like:
[Unit]
...
ConditionSELinux=disabled
ConditionPathIsDirectory=/etc/selinux
ConditionPathExists=!/.autorelabel
[Service]
ExecStart=/bin/touch /.autorelabel
...
---
Michal Schmidt (4):
man: document ConditionSELinux
condition: add ConditionSELinux
load-fragment: unify config_parse_condition_{kernel,virt}
condition: fix dumping of conditions
man/systemd.unit.xml | 12 ++++++++++++
src/condition.c | 48 ++++++++++++++++++++++++++++++++++++++++++++++--
src/condition.h | 1 +
src/load-fragment.c | 45 +++++++--------------------------------------
4 files changed, 66 insertions(+), 40 deletions(-)
--
Michal
_______________________________________________
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel
