Add a systemd service to check that SELinux is disabled properly

As an additional sanity check to support the removal of runtime
disabling of SELinux [1], add a simple oneshot service to the
selinux-policy package that will print a warning to system journal when
it detects on boot that the system has been booted with SELINUX=disabled
in /etc/selinux/config, but without selinux=0 on the kernel command
line.

Note that as per [2], in order for the service to be enabled by default,
it needs to be added to the Fedora presets.

[1] https://fedoraproject.org/wiki/Changes/Remove_Support_For_SELinux_Runtime_Disable
[2] https://docs.fedoraproject.org/en-US/packaging-guidelines/DefaultServices/#_how_to_enable_a_service_by_default

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>

selinux-check-proper-disable.service

@@ -0,0 +1,15 @@
+[Unit]
+Description=Check that SELinux is not disabled the unsafe way
+ConditionKernelCommandLine=!selinux=0
+After=sysinit.target
+
+[Service]
+Type=oneshot
+EnvironmentFile=/etc/selinux/config
+ExecCondition=test "$SELINUX" = disabled
+ExecStart=/usr/bin/echo 'SELINUX=disabled in /etc/selinux/config, but no selinux=0 on kernel command line - SELinux may not be fully disabled. Please update bootloader configuration to pass selinux=0 to kernel at boot.'
+StandardOutput=journal+console
+SyslogLevel=warning
+
+[Install]
+WantedBy=multi-user.target

selinux-policy.spec

@@ -59,6 +59,8 @@ Source33: macro-expander
 # Git repo: https://github.com/containers/container-selinux.git
 Source35: container-selinux.tgz
 
+Source36: selinux-check-proper-disable.service
+
 # Provide rpm macros for packages installing SELinux modules
 Source102: rpm.macros
 
@@ -66,6 +68,7 @@ Url: %{giturl}
 BuildArch: noarch
 BuildRequires: python3 gawk checkpolicy >= %{CHECKPOLICYVER} m4 policycoreutils-devel >= %{POLICYCOREUTILSVER} bzip2
 BuildRequires: make
+BuildRequires: systemd-rpm-macros
 Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER}
 Requires(post): /bin/awk /usr/bin/sha512sum
 Requires: rpm-plugin-selinux
@@ -88,6 +91,7 @@ the policy has been adjusted to provide support for Fedora.
 %ghost %{_sysconfdir}/sysconfig/selinux
 %{_usr}/lib/tmpfiles.d/selinux-policy.conf
 %{_rpmconfigdir}/macros.d/macros.selinux-policy
+%{_unitdir}/selinux-check-proper-disable.service
 
 %package sandbox
 Summary: SELinux sandbox policy
@@ -480,9 +484,13 @@ install -m 644 %{SOURCE102} %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux
 sed -i 's/SELINUXPOLICYVERSION/%{version}-%{release}/' %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux-policy
 sed -i 's@SELINUXSTOREPATH@%{_sharedstatedir}/selinux@' %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux-policy
 
+mkdir -p %{buildroot}%{_unitdir}
+install -m 644 %{SOURCE36} %{buildroot}%{_unitdir}
 
 rm -rf selinux_config
+
 %post
+%systemd_post selinux-check-proper-disable.service
 if [ ! -s %{_sysconfdir}/selinux/config ]; then
 #
 #     New install so we will default to targeted policy
@@ -524,7 +532,11 @@ else
 fi
 exit 0
 
+%preun
+%systemd_preun selinux-check-proper-disable.service
+
 %postun
+%systemd_postun selinux-check-proper-disable.service
 if [ $1 = 0 ]; then
      %{_sbindir}/setenforce 0 2> /dev/null
      if [ ! -s %{_sysconfdir}/selinux/config ]; then