diff --git a/selinux-check-proper-disable.service b/selinux-check-proper-disable.service
new file mode 100644
index 0000000..8f3b4da
--- /dev/null
+++ b/selinux-check-proper-disable.service
@@ -0,0 +1,15 @@
+[Unit]
+Description=Check that SELinux is not disabled the unsafe way
+ConditionKernelCommandLine=!selinux=0
+After=sysinit.target
+
+[Service]
+Type=oneshot
+EnvironmentFile=/etc/selinux/config
+ExecCondition=test "$SELINUX" = disabled
+ExecStart=/usr/bin/echo 'SELINUX=disabled in /etc/selinux/config, but no selinux=0 on kernel command line - SELinux may not be fully disabled. Please update bootloader configuration to pass selinux=0 to kernel at boot.'
+StandardOutput=journal+console
+SyslogLevel=warning
+
+[Install]
+WantedBy=multi-user.target
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 998357c..c9f0fe6 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -59,6 +59,8 @@ Source33: macro-expander
 # Git repo: https://github.com/containers/container-selinux.git
 Source35: container-selinux.tgz
 
+Source36: selinux-check-proper-disable.service
+
 # Provide rpm macros for packages installing SELinux modules
 Source102: rpm.macros
 
@@ -66,6 +68,7 @@ Url: %{giturl}
 BuildArch: noarch
 BuildRequires: python3 gawk checkpolicy >= %{CHECKPOLICYVER} m4 policycoreutils-devel >= %{POLICYCOREUTILSVER} bzip2
 BuildRequires: make
+BuildRequires: systemd-rpm-macros
 Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER}
 Requires(post): /bin/awk /usr/bin/sha512sum
 Requires: rpm-plugin-selinux
@@ -88,6 +91,7 @@ the policy has been adjusted to provide support for Fedora.
 %ghost %{_sysconfdir}/sysconfig/selinux
 %{_usr}/lib/tmpfiles.d/selinux-policy.conf
 %{_rpmconfigdir}/macros.d/macros.selinux-policy
+%{_unitdir}/selinux-check-proper-disable.service
 
 %package sandbox
 Summary: SELinux sandbox policy
@@ -480,9 +484,13 @@ install -m 644 %{SOURCE102} %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux
 sed -i 's/SELINUXPOLICYVERSION/%{version}-%{release}/' %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux-policy
 sed -i 's@SELINUXSTOREPATH@%{_sharedstatedir}/selinux@' %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux-policy
 
+mkdir -p %{buildroot}%{_unitdir}
+install -m 644 %{SOURCE36} %{buildroot}%{_unitdir}
 
 rm -rf selinux_config
+
 %post
+%systemd_post selinux-check-proper-disable.service
 if [ ! -s %{_sysconfdir}/selinux/config ]; then
 #
 #     New install so we will default to targeted policy
@@ -524,7 +532,11 @@ else
 fi
 exit 0
 
+%preun
+%systemd_preun selinux-check-proper-disable.service
+
 %postun
+%systemd_postun selinux-check-proper-disable.service
 if [ $1 = 0 ]; then
      %{_sbindir}/setenforce 0 2> /dev/null
      if [ ! -s %{_sysconfdir}/selinux/config ]; then