Add a systemd service to check that SELinux is disabled properly

As an additional sanity check to support the removal of runtime disabling of SELinux [1], add a simple oneshot service to the selinux-policy package that will print a warning to system journal when it detects on boot that the system has been booted with SELINUX=disabled in /etc/selinux/config, but without selinux=0 on the kernel command line. Note that as per [2], in order for the service to be enabled by default, it needs to be added to the Fedora presets. [1] https://fedoraproject.org/wiki/Changes/Remove_Support_For_SELinux_Runtime_Disable [2] https://docs.fedoraproject.org/en-US/packaging-guidelines/DefaultServices/#_how_to_enable_a_service_by_default Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
2021-05-13 16:23:31 +02:00 · 2021-05-13 16:23:31 +02:00 · fd69433906
commit fd69433906
parent a563172755
2 changed files with 27 additions and 0 deletions
--- a/selinux-check-proper-disable.service
+++ b/selinux-check-proper-disable.service
@ -0,0 +1,15 @@
+[Unit]
+Description=Check that SELinux is not disabled the unsafe way
+ConditionKernelCommandLine=!selinux=0
+After=sysinit.target
+
+[Service]
+Type=oneshot
+EnvironmentFile=/etc/selinux/config
+ExecCondition=test "$SELINUX" = disabled
+ExecStart=/usr/bin/echo 'SELINUX=disabled in /etc/selinux/config, but no selinux=0 on kernel command line - SELinux may not be fully disabled. Please update bootloader configuration to pass selinux=0 to kernel at boot.'
+StandardOutput=journal+console
+SyslogLevel=warning
+
+[Install]
+WantedBy=multi-user.target
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -59,6 +59,8 @@ Source33: macro-expander
 # Git repo: https://github.com/containers/container-selinux.git
 Source35: container-selinux.tgz

+Source36: selinux-check-proper-disable.service
+
 # Provide rpm macros for packages installing SELinux modules
 Source102: rpm.macros

@ -66,6 +68,7 @@ Url: %{giturl}
 BuildArch: noarch
 BuildRequires: python3 gawk checkpolicy >= %{CHECKPOLICYVER} m4 policycoreutils-devel >= %{POLICYCOREUTILSVER} bzip2
 BuildRequires: make
+BuildRequires: systemd-rpm-macros
 Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER}
 Requires(post): /bin/awk /usr/bin/sha512sum
 Requires: rpm-plugin-selinux
@ -88,6 +91,7 @@ the policy has been adjusted to provide support for Fedora.
 %ghost %{_sysconfdir}/sysconfig/selinux
 %{_usr}/lib/tmpfiles.d/selinux-policy.conf
 %{_rpmconfigdir}/macros.d/macros.selinux-policy
+%{_unitdir}/selinux-check-proper-disable.service

 %package sandbox
 Summary: SELinux sandbox policy
@ -480,9 +484,13 @@ install -m 644 %{SOURCE102} %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux
 sed -i 's/SELINUXPOLICYVERSION/%{version}-%{release}/' %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux-policy
 sed -i 's@SELINUXSTOREPATH@%{_sharedstatedir}/selinux@' %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux-policy

+mkdir -p %{buildroot}%{_unitdir}
+install -m 644 %{SOURCE36} %{buildroot}%{_unitdir}

 rm -rf selinux_config
+
 %post
+%systemd_post selinux-check-proper-disable.service
 if [ ! -s %{_sysconfdir}/selinux/config ]; then
 #
 #     New install so we will default to targeted policy
@ -524,7 +532,11 @@ else
 fi
 exit 0

+%preun
+%systemd_preun selinux-check-proper-disable.service
+
 %postun
+%systemd_postun selinux-check-proper-disable.service
 if [ $1 = 0 ]; then
     %{_sbindir}/setenforce 0 2> /dev/null
     if [ ! -s %{_sysconfdir}/selinux/config ]; then