diff --git a/README.SUSE b/README.SUSE index 6dc752d..c522c78 100644 --- a/README.SUSE +++ b/README.SUSE @@ -18,6 +18,10 @@ Changes for openSUSE / SLE: Set timeout for Ignition device so boot will just continue if no physical Ignition configuration device is attached (e.g. when using platform specific configuration). +* ignition-touch-selinux-autorelabel.conf: + Trigger SELinux autorelabel after Ignition runs; Ignition would support + SELinux itself, however this is a compile time option, so it can't be + used here. * ignition-suse-generator: Supplements the upstream generator by adding dependencies to ignition-setup-user.service and ignition-mount-initrd-fstab.service. diff --git a/ignition-mount-initrd-fstab.service b/ignition-mount-initrd-fstab.service index 296267f..5c283f0 100644 --- a/ignition-mount-initrd-fstab.service +++ b/ignition-mount-initrd-fstab.service @@ -18,6 +18,6 @@ Before=ignition-files.service [Service] Type=oneshot RemainAfterExit=yes -ExecStart=/bin/sh -c 'eval $(awk '"'"'$4 ~ /x-initrd.mount/ {print "if ! findmnt /sysroot" $2 " >/dev/null; then mount -t " $3 " -o " $4 " " $1 " /sysroot" $2 "; fi;" }'"'"' /sysroot/etc/fstab)' +ExecStart=/bin/sh -c 'eval $(awk '"'"'$4 ~ /x-initrd.mount/ && $1 !~ /^#/ {print "if ! findmnt /sysroot" $2 " >/dev/null; then mount -t " $3 " -o " $4 " " $1 " /sysroot" $2 "; fi;" }'"'"' /sysroot/etc/fstab)' ExecStop=/bin/sh -c 'if [ -f /sysroot/etc/systemd/system-preset/20-ignition.preset ]; then while read line; do systemctl --root=/sysroot $line; done < /sysroot/etc/systemd/system-preset/20-ignition.preset; fi' ExecStop=/usr/bin/umount -a -O "x-initrd.mount" diff --git a/ignition-touch-selinux-autorelabel.conf b/ignition-touch-selinux-autorelabel.conf new file mode 100644 index 0000000..58872ce --- /dev/null +++ b/ignition-touch-selinux-autorelabel.conf @@ -0,0 +1,2 @@ +[Service] +ExecStart=/usr/bin/sh -c 'if [ -e /sysroot/etc/selinux/.relabelled ]; then >> /sysroot/etc/selinux/.autorelabel; fi' diff --git a/ignition.changes b/ignition.changes index 6b5f072..9db7aaa 100644 --- a/ignition.changes +++ b/ignition.changes @@ -1,3 +1,12 @@ +------------------------------------------------------------------- +Fri Mar 25 09:59:53 UTC 2022 - Ignaz Forster + +- Add ignition-touch-selinux-autorelabel.conf: + Trigger SELinux autorelabel after Ignition runs; Ignition would + support SELinux itself, however this is a compile time option, so + it can't be used here. +- Filter commented lines in ignition-mount-initrd-fstab.service + ------------------------------------------------------------------- Fri Mar 4 10:46:21 UTC 2022 - Fabian Vogt diff --git a/ignition.spec b/ignition.spec index 6b79ca7..2cc57b1 100644 --- a/ignition.spec +++ b/ignition.spec @@ -36,6 +36,7 @@ Source10: ignition-enable-network.service Source11: ignition-enable-network.sh Source12: ignition-kargs-helper Source13: ignition-remove-reconfig_system.service +Source14: ignition-touch-selinux-autorelabel.conf Source20: ignition-userconfig-timeout.conf Source21: ignition-userconfig-timeout-arm.conf Patch2: 0002-allow-multiple-mounts-of-same-device.patch @@ -87,7 +88,7 @@ which creates firstboot_happened after the first boot. mkdir dracut/30ignition-microos grub systemd_suse chmod +x %{SOURCE3} %{SOURCE4} %{SOURCE8} %{SOURCE12} -cp %{SOURCE1} %{SOURCE3} %{SOURCE4} %{SOURCE8} %{SOURCE9} %{SOURCE10} %{SOURCE11} %{SOURCE13} dracut/30ignition-microos/ +cp %{SOURCE1} %{SOURCE3} %{SOURCE4} %{SOURCE8} %{SOURCE9} %{SOURCE10} %{SOURCE11} %{SOURCE13} %{SOURCE14} dracut/30ignition-microos/ %ifarch aarch64 %{arm} cp %{SOURCE21} dracut/30ignition-microos/ignition-userconfig-timeout.conf %else diff --git a/module-setup.sh b/module-setup.sh index 48a44c9..33e416c 100644 --- a/module-setup.sh +++ b/module-setup.sh @@ -23,6 +23,8 @@ install() { "$systemdsystemunitdir/ignition-mount-initrd-fstab.service" inst_simple "$moddir/ignition-userconfig-timeout.conf" \ "$systemdsystemunitdir/dev-disk-by\x2dlabel-ignition.device.d/ignition-userconfig-timeout.conf" + inst_simple "$moddir/ignition-touch-selinux-autorelabel.conf" \ + "$systemdsystemunitdir/ignition-files.service.d/ignition-touch-selinux-autorelabel.conf" inst_simple "$moddir/ignition-suse-generator" \ "/etc/systemd/system-generators/ignition-generator" inst_script "$moddir/ignition-enable-network.sh" \