Skip to content

Commit

Permalink
release: fix prepare-local dependencies
Browse files Browse the repository at this point in the history 
In order for `setfiles` to work, the SELinux file contexts must have
been copied into `/etc`.

The dependency is specified with "Wants" rather than "Requires" to
avoid restarting the service if selinux-policy-files is restarted for
any reason. Subsequent runs would fail and put the system in a bad
state until the next reboot.

Add RefuseManualStop / RefuseManualStart to both services to indicate
the risk during interactive use by an administrator.

Signed-off-by: Ben Cressey <bcressey@amazon.com>
  • Loading branch information
@bcressey
bcressey committed Jan 6, 2022
1 parent 90de2ee commit f793284
Show file tree
Hide file tree
Showing 2 changed files with 6 additions and 0 deletions.
4 changes: 4 additions & 0 deletions packages/release/prepare-local.service
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,11 @@
[Unit]
Description=Prepare Local Directory (/local)
DefaultDependencies=no
After=selinux-policy-files.service
Wants=selinux-policy-files.service
RequiresMountsFor=/local
RefuseManualStart=true
RefuseManualStop=true

[Service]
Type=oneshot
Expand Down
2 changes: 2 additions & 0 deletions packages/selinux-policy/selinux-policy-files.service
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,8 @@
[Unit]
Description=Copy SELinux policy files
DefaultDependencies=no
RefuseManualStart=true
RefuseManualStop=true

[Service]
Type=oneshot
Expand Down

0 comments on commit f793284

Please sign in to comment.