test: Integrate custom selinux relabelling unit with firstboot

2 files changed, 28 insertions, 3 deletions

diff --git a/test/units/autorelabel.service b/test/units/autorelabel.service
index 7e5f9a2b89..fd652225d9 100644
--- a/test/units/autorelabel.service
+++ b/test/units/autorelabel.service
@@ -3,9 +3,14 @@
 Description=Relabel all filesystems
 DefaultDependencies=no
 Requires=local-fs.target
-Conflicts=shutdown.target
 After=local-fs.target
-Before=sysinit.target shutdown.target
+Conflicts=shutdown.target
+Before=shutdown.target
+Before=multi-user.target
+# Needs to access /var, which may not have been populated yet
+After=systemd-tmpfiles-setup.service
+# Must wait for systemd-machine-id-commit or firstboot-autorelabel will reactivate autorelabel
+After=systemd-machine-id-commit.service
 ConditionSecurity=selinux
 ConditionPathExists=|/.autorelabel
 
@@ -16,4 +21,4 @@ TimeoutSec=infinity
 RemainAfterExit=yes
 
 [Install]
-WantedBy=basic.target
+WantedBy=multi-user.target
diff --git a/test/units/firstboot-autorelabel.service b/test/units/firstboot-autorelabel.service
new file mode 100644
index 0000000000..b69dcf72a3
--- /dev/null
+++ b/test/units/firstboot-autorelabel.service
@@ -0,0 +1,20 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Activate relabelling on firstboot only
+DefaultDependencies=no
+Wants=first-boot-complete.target
+Requires=local-fs.target
+After=local-fs.target
+Conflicts=shutdown.target
+Before=shutdown.target
+Before=first-boot-complete.target sysinit.target autorelabel.service
+ConditionPathIsReadWrite=/etc
+ConditionFirstBoot=yes
+
+[Service]
+ExecStart=touch /.autorelabel
+Type=oneshot
+RemainAfterExit=yes
+
+[Install]
+WantedBy=sysinit.target