From f79328455608b774425ad1b775f1e3b17358deef Mon Sep 17 00:00:00 2001
From: Ben Cressey <bcressey@amazon.com>
Date: Tue, 4 Jan 2022 17:22:10 +0000
Subject: [PATCH] release: fix prepare-local dependencies

In order for `setfiles` to work, the SELinux file contexts must have
been copied into `/etc`.

The dependency is specified with "Wants" rather than "Requires" to
avoid restarting the service if selinux-policy-files is restarted for
any reason. Subsequent runs would fail and put the system in a bad
state until the next reboot.

Add RefuseManualStop / RefuseManualStart to both services to indicate
the risk during interactive use by an administrator.

Signed-off-by: Ben Cressey <bcressey@amazon.com>
---
 packages/release/prepare-local.service               | 4 ++++
 packages/selinux-policy/selinux-policy-files.service | 2 ++
 2 files changed, 6 insertions(+)

diff --git a/packages/release/prepare-local.service b/packages/release/prepare-local.service
index bec31ad6bbe..0245ca14d88 100644
--- a/packages/release/prepare-local.service
+++ b/packages/release/prepare-local.service
@@ -1,7 +1,11 @@
 [Unit]
 Description=Prepare Local Directory (/local)
 DefaultDependencies=no
+After=selinux-policy-files.service
+Wants=selinux-policy-files.service
 RequiresMountsFor=/local
+RefuseManualStart=true
+RefuseManualStop=true
 
 [Service]
 Type=oneshot
diff --git a/packages/selinux-policy/selinux-policy-files.service b/packages/selinux-policy/selinux-policy-files.service
index b9c36ac1019..32638772fc2 100644
--- a/packages/selinux-policy/selinux-policy-files.service
+++ b/packages/selinux-policy/selinux-policy-files.service
@@ -1,6 +1,8 @@
 [Unit]
 Description=Copy SELinux policy files
 DefaultDependencies=no
+RefuseManualStart=true
+RefuseManualStop=true
 
 [Service]
 Type=oneshot