Relabel / and /rw if needed

Creating /.autorelabel must cause a Qubes OS VM to relabel everything,
as otherwise users will not be able to troubleshoot their systems and
upstream packages that create it will break.  However, it was ignored,
so fix that.

Furthermore, relabel the filesystem of a TemplateBasedVM whenever its
TemplateVM has been relabeled since the TemplateBasedVM was.  This
ensures that policy changes propagate to TemplateBasedVMs too.

Author: DemiMarie

init/relabel-rw.sh

@@ -0,0 +1,6 @@
+#!/bin/sh --
+set -eu
+if [ /.qubes-relabeled -nt /rw/.autorelabel ]; then
+    restorecon -RF /rw /home /usr/local
+    touch /rw/.autorelabel
+fi

vm-systemd/qubes-relabel-root.service

@@ -3,7 +3,8 @@ Description=Relabel /
 After=qubes-sysinit.service
 Requires=qubes-sysinit.service
 ConditionSecurity=selinux
-ConditionPathExists=!/.qubes-relabeled
+ConditionPathExists=|/.autorelabel
+ConditionPathExists=|!/.qubes-relabeled
 ConditionPathExists=/run/qubes/persistent-full
 DefaultDependencies=no
 Conflicts=shutdown.target

vm-systemd/qubes-relabel-rw.service

@@ -1,18 +1,16 @@
 [Unit]
 Description=Relabel /rw and /home
-After=qubes-mount-dirs.service qubes-sysinit.service
-Requires=qubes-mount-dirs.service qubes-sysinit.service
+After=qubes-mount-dirs.service qubes-sysinit.service qubes-relabel-root.service
+Requires=qubes-mount-dirs.service qubes-sysinit.service qubes-relabel-root.service
 ConditionSecurity=selinux
-ConditionPathExists=!/rw/.autorelabel
 DefaultDependencies=no
 Conflicts=selinux-autorelabel.service
 Before=local-fs.target rw.mount home.mount qubes-gui-agent.service qubes-qrexec-agent.service
 
 [Service]
 Type=oneshot
 RemainAfterExit=yes
-ExecStart=/usr/sbin/restorecon -RF /rw /home /usr/local
-ExecStart=/bin/touch /rw/.autorelabel
+ExecStart=/usr/lib/qubes/init/relabel-rw.sh
 
 [Install]
 WantedBy=multi-user.target