selinux可以在根目錄下創建.autorelabel文件并輸入"-F"的內容，系統重啟后會根據策略庫的默認配置強制刷新所有文件的安全上下文。

1、如何調用.autorelabel文件

.autorelabel文件是由selinux-autorelabel的systemd服務調用的，根據該服務的配置可以看到，該服務為oneshot類型，僅在系統啟動時運行。運行時調用selinux-autorelabel可執行文件進行下一步處理。

[root@localhost ~]# cat /usr/lib/systemd/system/selinux-autorelabel.service 
[Unit]
Description=Relabel all filesystems
DefaultDependencies=no
Conflicts=shutdown.target
After=sysinit.target
Before=shutdown.target
ConditionSecurity=selinux

[Service]
ExecStart=/usr/libexec/selinux/selinux-autorelabel #2
Type=oneshot # 1
TimeoutSec=0
RemainAfterExit=yes
StandardInput=tty
[root@localhost ~]# cat /usr/lib/systemd/system/selinux-autorelabel.target 
[Unit]
Description=Relabel all filesystems and reboot
DefaultDependencies=no
Requires=sysinit.target selinux-autorelabel.service
Conflicts=shutdown.target
After=sysinit.target selinux-autorelabel.service
ConditionSecurity=selinux

查看selinux-autorelabel腳本的源碼可以看到。該腳本會根據目錄restorecon所有目錄的安全上下文，但沒有強制刷新。然后會讀取/.autorelabel的文件內容，如果autorelabel存在并為-F，那么將調用二進制文件/sbin/fixfiles強制刷新文件的安全上下文，最后會刪除autorelabel文件并重啟。

[root@localhost ~]# cat /usr/libexec/selinux/selinux-autorelabel 
#!/bin/bash
#
# Do automatic relabelling
#

# . /etc/init.d/functions

# If the user has this (or similar) UEFI boot order:
#
#             Windows | grub | Linux
#
# And decides to boot into grub/Linux, then the reboot at the end of autorelabel
# would cause the system to boot into Windows again, if the autorelabel was run.
#
# This function restores the UEFI boot order, so the user will boot into the
# previously set (and expected) partition.
efi_set_boot_next() {
    # NOTE: The [ -x /usr/sbin/efibootmgr ] test is not sufficent -- it could
    #       succeed even on system which is not EFI-enabled...
    if ! efibootmgr > /dev/null 2>&1; then
        return
    fi

    # NOTE: It it possible that some other services might be setting the
    #       'BootNext' item for any reasons, and we shouldn't override it if so.
    if ! efibootmgr | grep --quiet -e 'BootNext'; then
        CURRENT_BOOT="$(efibootmgr | grep -e 'BootCurrent' | sed -re 's/(^.+:[[:space:]]*)([[:xdigit:]]+)/\2/')"
        efibootmgr -n "${CURRENT_BOOT}" > /dev/null 2>&1
    fi
}

relabel_selinux() {
    # if /sbin/init is not labeled correctly this process is running in the
    # wrong context, so a reboot will be required after relabel
    AUTORELABEL=
    . /etc/selinux/config
    echo "0" > /sys/fs/selinux/enforce
    [ -x /bin/plymouth ] && plymouth --quit

    if [ "$AUTORELABEL" = "0" ]; then
	echo
	echo $"*** Warning -- SELinux ${SELINUXTYPE} policy relabel is required. "
	echo $"*** /etc/selinux/config indicates you want to manually fix labeling"
	echo $"*** problems. Dropping you to a shell; the system will reboot"
	echo $"*** when you leave the shell."
	sulogin

    else
	echo
	echo $"*** Warning -- SELinux ${SELINUXTYPE} policy relabel is required."
	echo $"*** Relabeling could take a very long time, depending on file"
	echo $"*** system size and speed of hard drives."

	FORCE=`cat /.autorelabel`
        [ -x "/usr/sbin/quotaoff" ] && /usr/sbin/quotaoff -aug
	/sbin/fixfiles $FORCE restore # 2
    fi

    rm -f  /.autorelabel # 3
    /usr/lib/dracut/dracut-initramfs-restore
    efi_set_boot_next
    if [ -x /usr/bin/grub2-editenv ]; then
        grub2-editenv - incr boot_indeterminate >/dev/null 2>&1
    fi
    sync
    systemctl --force reboot # 4
}

# Check to see if a full relabel is needed
if [ "$READONLY" != "yes" ]; then
    restorecon $(awk '!/^#/ && $4 !~ /noauto/ && $2 ~ /^\// { print $2 }' /etc/fstab) >/dev/null 2>&1 # 1
    relabel_selinux
fi

2、fixfiles處理分析

selinux-autorelabel調用指令/sbin/fixfiles -F restore。fixfiles讀取到-F和restore后，根據系統目錄，最終調用/sbin/setfiles來刷新安全上下文。此處值得注意的點是，setfiles刷新目錄的安全上下文時，如果碰到其中某個文件存在權限限制（例如不可更改的屬性），那么會權限錯誤，并推出該目錄的刷新，繼續下一個目錄。

[root@localhost ~]# cat /sbin/fixfiles
...
#
# restore
# if called with -n will only check file context
#
restore () {
...
    *)
        if [ -n "${FILESYSTEMSRW}" ]; then
            LogReadOnly
            echo "${OPTION}ing `echo ${FILESYSTEMSRW}`"
            echo "${SETFILES} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} $* -q ${FC} ${FILESYSTEMSRW}"
            ${SETFILES} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} $* -q ${FC} ${FILESYSTEMSRW}
        else
            echo >&2 "fixfiles: No suitable file systems found"
        fi
...
process() {
#
# Make sure they specified one of the three valid commands
#
case "$1" in
    restore) restore Relabel;;
...
while getopts "N:BC:FfR:l:vMT:" i; do
    case "$i" in
...
	F)
		FORCEFLAG="-F"
		;;
...