1592221 – PATCH: selinux-autorelabel: Fix splash not hiding, Increment boot_indeterminate grub environment variable

Bug 1592221 - PATCH: selinux-autorelabel: Fix splash not hiding, Increment boot_indeterminate grub environment variable

Summary: PATCH: selinux-autorelabel: Fix splash not hiding, Increment boot_indetermina...

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	policycoreutils
Sub Component:
Version:	rawhide
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Petr Lautrbach
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-06-18 08:38 UTC by Hans de Goede
Modified:	2018-06-18 10:05 UTC (History)
CC List:	5 users (show)
Fixed In Version:	policycoreutils-2.8-3.fc29
Clone Of:
Environment:
Last Closed:	2018-06-18 09:35:20 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
[PATCH 1/2] selinux-autorelabel: Use plymouth --quit rather then --hide-splash (1.17 KB, patch) 2018-06-18 08:38 UTC, Hans de Goede	no flags	Details \| Diff
[PATCH 2/2] selinux-autorelabel: Increment boot_indeterminate grub environment variable (1.95 KB, patch) 2018-06-18 08:39 UTC, Hans de Goede	no flags	Details \| Diff
View All

Description Hans de Goede 2018-06-18 08:38:50 UTC

Created attachment 1452558 [details]
[PATCH 1/2] selinux-autorelabel: Use plymouth --quit rather then --hide-splash

Hi,

Here are 2 patches (to apply on a fedpkg clone) with 1 fix for and 1 improvement to the selinux-autorelabel script:

[PATCH 1/2] selinux-autorelabel: Use plymouth --quit rather then --hide-splash

plymouth by defaults waits for 5 seconds before showing the splash so
that the splash simply gets skipped on real quick boots.

In my testing it seems that --hide-splash is a no-op when run before
the 5 seconds have passed and the splash is shown, causing the splash
to still be there during a relabel. Note this problem only shows when
*not* using disk-encryption.

Switching to plymouth --quit fixes this.

[PATCH 2/2] selinux-autorelabel: Increment boot_indeterminate grub environment variable

For the new grub auto-hide feature:
https://fedoraproject.org/wiki/Changes/HiddenGrubMenu

Grub needs to know if the previous boot succeeded. This is tracked
through flags in the grub environment.

A selinux autorelabel is special, because it reboots the machine without
completing the boot in the normal manner.

grub checks the (new) boot_indeterminate grub environment variable to deal
with this. This is a variable containing a count of special boots since
the last successful normal boot. If this variable is 1 then it also treats
the previous boot as successful. The idea is that an autorelabel (or
offline updates) increments boot_indeterminate, so normally after a reboot
it will be 1 and the grub menu stays hidden. But if we end up in a selinux
autorelabel loop for some reason, then it will be bigger then 1 (*) and
the grub menu will be shown allowing the user to try and fix things.

*) grub itself will also increment it if it is 1 so that even if it gets
incremented only once, that still only makes 1 boot count as successful.

This commit makes the selinux-autorelabel script call:
grub2-editenv - incr boot_indeterminate
for proper integration with this new grub feature.

###

Note I've not added .spec file changelog entries, since those just tend to get in the way of being able to cleanly apply the patches. The patch subjects are probably good candidates for specfile changelog entries.

Regards,

Hans

Comment 1 Hans de Goede 2018-06-18 08:39:22 UTC

Created attachment 1452559 [details]
[PATCH 2/2] selinux-autorelabel: Increment boot_indeterminate grub environment variable

Comment 2 Petr Lautrbach 2018-06-18 09:35:20 UTC

Thanks!

Comment 3 Hans de Goede 2018-06-18 09:40:35 UTC

You're welcome and thank you for applying these so quickly.

Note You need to log in before you can comment on or make changes to this bug.