fd69433906
As an additional sanity check to support the removal of runtime disabling of SELinux [1], add a simple oneshot service to the selinux-policy package that will print a warning to system journal when it detects on boot that the system has been booted with SELINUX=disabled in /etc/selinux/config, but without selinux=0 on the kernel command line. Note that as per [2], in order for the service to be enabled by default, it needs to be added to the Fedora presets. [1] https://fedoraproject.org/wiki/Changes/Remove_Support_For_SELinux_Runtime_Disable [2] https://docs.fedoraproject.org/en-US/packaging-guidelines/DefaultServices/#_how_to_enable_a_service_by_default Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
16 lines
538 B
Desktop File
16 lines
538 B
Desktop File
[Unit]
|
|
Description=Check that SELinux is not disabled the unsafe way
|
|
ConditionKernelCommandLine=!selinux=0
|
|
After=sysinit.target
|
|
|
|
[Service]
|
|
Type=oneshot
|
|
EnvironmentFile=/etc/selinux/config
|
|
ExecCondition=test "$SELINUX" = disabled
|
|
ExecStart=/usr/bin/echo 'SELINUX=disabled in /etc/selinux/config, but no selinux=0 on kernel command line - SELinux may not be fully disabled. Please update bootloader configuration to pass selinux=0 to kernel at boot.'
|
|
StandardOutput=journal+console
|
|
SyslogLevel=warning
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|