From c97c7f565bc704c00edae735a6be173338894bbe Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Thu, 9 Mar 2023 09:35:17 -0600
Subject: [PATCH] Add restorecon service

This service runs `restorecon` on `/var` to fix any errant SELinux
labels when the system first boots following an update.
---
 .../systemd/system-preset/80-local-default.preset |  2 ++
 overlay/usr/lib/systemd/system/restorecon.service | 15 +++++++++++++++
 2 files changed, 17 insertions(+)
 create mode 100644 overlay/usr/lib/systemd/system/restorecon.service

diff --git a/overlay/usr/lib/systemd/system-preset/80-local-default.preset b/overlay/usr/lib/systemd/system-preset/80-local-default.preset
index b7e7ea9..9ed307d 100644
--- a/overlay/usr/lib/systemd/system-preset/80-local-default.preset
+++ b/overlay/usr/lib/systemd/system-preset/80-local-default.preset
@@ -1,5 +1,7 @@
 enable auditd.service
 
+enable restorecon.service
+
 disable ldconfig.service
 
 disable systemd-userdbd.service
diff --git a/overlay/usr/lib/systemd/system/restorecon.service b/overlay/usr/lib/systemd/system/restorecon.service
new file mode 100644
index 0000000..1b2fa45
--- /dev/null
+++ b/overlay/usr/lib/systemd/system/restorecon.service
@@ -0,0 +1,15 @@
+[Unit]
+Description=Restore SELinux file contexts in /var
+ConditionNeedsUpdate=/var
+DefaultDependencies=no
+After=local-fs.target
+Before=sysinit.target
+Before=systemd-tmpfiles-setup.service
+Before=systemd-update-done.service
+
+[Service]
+Type=oneshot
+ExecStart=/usr/sbin/restorecon -RFv /var
+
+[Install]
+WantedBy=sysinit.target