Merge pull request #142 from WOnder93/selinux-disable-kernel

selinux: update kernel boot params when disabling/re-enabling SELinux

SUMMARY
The ability to disable SELinux from userspace based on the configuration
file is being deprecated in favor of the selinux=0 kernel boot
parameter. (Note that this affects only the "full" disable; switching
to/from permissive mode will work the same as before.)
Therefore, enhance the selinux module to try to set/unset the kernel
command-line parameter using grubby when enabling/disabling SELinux.
If the grubby package is not present on the system, the module will only
update the config file and report a warning. Note that even with the
runtime disable functionality removed, setting SELINUX=disabled in the
config file will lead to a system with no SELinux policy loaded, which
will behave in a very similar way as if SELinux was fully disabled, only
there could still be some minor performance impact, since the kernel
hooks will still be active.
More information:
https://lore.kernel.org/selinux/157836784986.560897.13893922675143903084.stgit@chester/
https://fedoraproject.org/wiki/Changes/Remove_Support_For_SELinux_Runtime_Disable
ISSUE TYPE

Feature Pull Request

COMPONENT NAME
selinux module

Reviewed-by: Adam Miller <maxamillion@fedoraproject.org>
Reviewed-by: Ondrej Mosnáček <omosnacek@gmail.com>
Reviewed-by: Abhijeet Kasurde <None>
Reviewed-by: quidame <None>
Reviewed-by: Hideki Saito <saito@fgrep.org>
Reviewed-by: None <None>

changelogs/fragments/disable_selinux_via_kernel_cmdline.yml

@@ -0,0 +1,2 @@
+minor_changes:
+- selinux - optionally update kernel boot params when disabling/re-enabling SELinux (https://github.com/ansible-collections/ansible.posix/pull/142).