#!/bin/bash
#
# Do automatic relabelling
#

. /etc/init.d/functions

PLYMOUTH=
[ -x /usr/bin/plymouth ] && PLYMOUTH=yes

# Check SELinux status
SELINUX_STATE=
if [ -e "/selinux/enforce" ] && [ "$(cat /proc/self/attr/current)" != "kernel" ]; then
	if [ -r "/selinux/enforce" ] ; then
		SELINUX_STATE=$(cat "/selinux/enforce")
	else
		# assume enforcing if you can't read it
		SELINUX_STATE=1
	fi
fi

relabel_selinux() {
    # if /sbin/init is not labeled correctly this process is running in the
    # wrong context, so a reboot will be required after relabel
    AUTORELABEL=
    . /etc/selinux/config
    echo "0" > /selinux/enforce
    [ -n "$PLYMOUTH" ] && plymouth --hide-splash

    if [ "$AUTORELABEL" = "0" ]; then
	echo
	gprintf "*** Warning -- SELinux %s policy relabel is required. \n" ${SELINUXTYPE}
	gprintf "*** /etc/selinux/config indicates you want to manually fix labeling\n"
	gprintf "*** problems. Dropping you to a shell; the system will reboot\n"
	gprintf "*** when you leave the shell.\n"
	sulogin

    else
	echo
	gprintf "*** Warning -- SELinux %s policy relabel is required.\n" ${SELINUXTYPE}
	gprintf "*** Relabeling could take a very long time, depending on file\n"
	gprintf "*** system size and speed of hard drives.\n"

	/sbin/fixfiles -F restore > /dev/null 2>&1
    fi
    rm -f  /.autorelabel
    systemctl --force reboot
}

[ -z "${cmdline}" ] && cmdline=$(cat /proc/cmdline)

# Check to see if a full relabel is needed
if [ -n "$SELINUX_STATE" -a "$READONLY" != "yes" ]; then
    if strstr "$cmdline" autorelabel || [ -f /.autorelabel ] ; then
	restorecon $(awk '!/^#/ && $4 !~ /noauto/ && $2 ~ /^\// { print $2 }' /etc/fstab) >/dev/null 2>&1
	relabel_selinux
    fi
else
    if [ "$READONLY" != "yes" ] && [ -d /etc/selinux ]; then
        [ -f /.autorelabel ] || touch /.autorelabel
    fi
fi
