SELinux: Forcibly relabel root filesystem on install

This is necessary to ensure that the system is properly labeled for the next boot.
QubesOS · Dec 23, 2022 · 7444214 · 7444214
1 parent 49034e2
commit 7444214
Showing 1 changed file with 5 additions and 0 deletions.
diff --git a/rpm_spec/core-agent.spec.in b/rpm_spec/core-agent.spec.in
@@ -700,11 +700,16 @@ printf >> "$i" '### QUBES START ###
 fi
 done
 } 9< %_selinux_store_policy_path/semanage.read.LOCK 8< %_selinux_store_policy_path/semanage.trans.LOCK
+if [ ! -f /.qubes-relabeled ]; then
+    unshare --mount -- /bin/sh -euc 'mount --bind -- / /mnt && exec "$@"' sh setfiles -r /mnt -- /etc/selinux/targeted/contexts/files/file_contexts /mnt && touch /.qubes-relabeled
+fi
+exit 0
 
 %preun selinux
 %systemd_preun qubes-relabel-rw.service
 %systemd_preun qubes-relabel-root.service
 if [ "$1" -eq 0 ]; then
+  rm -f /.qubes-relabeled || exit 1
   if ! grep -E '^SELINUX=(disabled|permissive)$' /etc/selinux/config; then
     echo 'qubes-core-agent-selinux cannot be uninstalled with SELinux in enforcing mode' >&2
     exit 1