From 9e12e004bb0345db7156005efeec5e348f64f3fa Mon Sep 17 00:00:00 2001
From: Malte Poll <mp@edgeless.systems>
Date: Wed, 9 Nov 2022 12:04:58 +0100
Subject: [PATCH] Set SELinux from disabled to permissive (#474)

---
 debugd/internal/debugd/constants.go | 1 -
 image/mkosi.conf.d/selinux.conf     | 3 +++
 image/mkosi.prepare                 | 3 +++
 3 files changed, 6 insertions(+), 1 deletion(-)
 create mode 100644 image/mkosi.conf.d/selinux.conf

diff --git a/debugd/internal/debugd/constants.go b/debugd/internal/debugd/constants.go
index da3bfeafc..3aa036e82 100644
--- a/debugd/internal/debugd/constants.go
+++ b/debugd/internal/debugd/constants.go
@@ -27,7 +27,6 @@ RemainAfterExit=yes
 Restart=on-failure
 EnvironmentFile=/run/constellation.env
 Environment=PATH=/run/state/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin
-ExecStartPre=-setenforce Permissive
 ExecStart=/run/state/bin/bootstrapper
 [Install]
 WantedBy=multi-user.target
diff --git a/image/mkosi.conf.d/selinux.conf b/image/mkosi.conf.d/selinux.conf
new file mode 100644
index 000000000..2eddf3550
--- /dev/null
+++ b/image/mkosi.conf.d/selinux.conf
@@ -0,0 +1,3 @@
+[Output]
+# set selinux to permissive
+KernelCommandLine=!selinux=0 selinux=1 enforcing=0
diff --git a/image/mkosi.prepare b/image/mkosi.prepare
index 9df06e565..150d26fb2 100755
--- a/image/mkosi.prepare
+++ b/image/mkosi.prepare
@@ -1,5 +1,8 @@
 #!/bin/sh
 set -euxo pipefail
 
+# set selinux to permissive
+sed -i 's/^SELINUX=.*/SELINUX=permissive/' /etc/selinux/config
+
 # backport of https://github.com/dracutdevs/dracut/commit/dcbe23c14d13ca335ad327b7bb985071ca442f12
 sed -i 's/WantedBy=multi-user.target/WantedBy=basic.target/' /usr/lib/systemd/system/systemd-resolved.service