PR#5: selinux-autorelabel: set UEFI boot order (BootNext) same as BootCurrent - rpms/policycoreutils

rpms / policycoreutils

#5 selinux-autorelabel: set UEFI boot order (BootNext) same as BootCurrent

Closed 5 years ago by plautrba. Opened 5 years ago by dkaspar.

Unknown source master into master

selinux-autorelabel: set UEFI boot order (BootNext) same as BootCurrent

David Kaspar [Dee'Kej] • 5 years ago

4af347c

selinux-autorelabel

file modified

+26

		`@@ -5,6 +5,30 @@`

		`# . /etc/init.d/functions`

		`+ # If the user has this (or similar) UEFI boot order:`
		`+ #`
		`+ # Windows \| grub \| Linux`
		`+ #`
		`+ # And decides to boot into grub/Linux, then the reboot at the end of autorelabel`
		`+ # would cause the system to boot into Windows again, if the autorelabel was run.`
		`+ #`
		`+ # This function restores the UEFI boot order, so the user will boot into the`
		`+ # previously set (and expected) partition.`
		`+ efi_set_boot_next() {`
		`+ # NOTE: The [ -x /usr/sbin/efibootmgr ] test is not sufficent -- it could`
		`+ # succeed even on system which is not EFI-enabled...`
		`+ if ! efibootmgr > /dev/null 2>&1; then`
		`+ return`
		`+ fi`
		`+`
		`+ # NOTE: It it possible that some other services might be setting the`
		`+ # 'BootNext' item for any reasons, and we shouldn't override it if so.`
		`+ if ! efibootmgr \| grep --quiet -e 'BootNext'; then`
		`+ CURRENT_BOOT="$(efibootmgr \| grep -e 'BootCurrent' \| sed -re 's/(^.+:[[:space:]]*)([[:xdigit:]]+)/\2/')"`
		`+ efibootmgr -n "${CURRENT_BOOT}" > /dev/null 2>&1`
		`+ fi`
		`+ }`
		`+`
		`relabel_selinux() {`
		`# if /sbin/init is not labeled correctly this process is running in the`
		`# wrong context, so a reboot will be required after relabel`
		`@@ -31,8 +55,10 @@`
		`[ -x "/usr/sbin/quotaoff" ] && /usr/sbin/quotaoff -aug`
		`/sbin/fixfiles $FORCE restore`
		`fi`
		`+`
		`rm -f /.autorelabel`
		`/usr/lib/dracut/dracut-initramfs-restore`
		`+ efi_set_boot_next`
		`systemctl --force reboot`
		`}`

dkaspar commented 5 years ago

This can be useful when user has this UEFI boot order e.g.:

             Windows | grub | Linux

And decides to boot into grub/Linux. In case the autorelabel service is being run after the boot into grub, then the reboot after the autorelabel is done will cause user to boot into Windows again... This change should make the behaviour more intuitive for the user.

More info: https://bugzilla.redhat.com/show_bug.cgi?id=1450846

rebased onto 68944f9a2c921774558bfc1b3b9bd4ed420502b9

5 years ago

rebased onto 8ff4716eae546965a439f4f9db05bd5a4c955f4e

5 years ago

rebased onto f52a9dc59c28a4231136e668809da3bb2ea942b2

5 years ago

rebased onto 4af347c

5 years ago

dkaspar commented 5 years ago

The negation on 23 is needed, because we DO NOT want to set the BootNext if it is already set. (Some other service could do that after the boot process start and before the autorelabel is being run.)

Regarding the multiple call to efiboomgr:

$ time efibootmgr > /dev/null

real    0m0.023s
user    0m0.000s
sys 0m0.023s

Do you really want me to optimize this? IMHO it's overkill. The service is not being run at every boot (normally), and the times to call efibootmgr command are negligible compared to running the restorecon itself.