pingcap · dveeden · Jan 20, 2025
diff --git a/pkg/cluster/manager/check.go b/pkg/cluster/manager/check.go
@@ -671,7 +671,7 @@ func fixFailedChecks(host string, res *operator.CheckResult, t *task.Builder, sy
 		}
 		t.Limit(host, fields[0], fields[1], fields[2], fields[3], sudo)
 		msg = fmt.Sprintf("will try to set '%s'", color.HiBlueString(res.Msg))
-	case operator.CheckNameSELinux:
+	case operator.CheckNameSELinuxConf, operator.CheckNameSELinuxStatus:
 		t.Shell(host,
 			fmt.Sprintf(
 				"sed -i 's/^[[:blank:]]*SELINUX=enforcing/SELINUX=disabled/g' %s && %s",

diff --git a/pkg/cluster/operation/check.go b/pkg/cluster/operation/check.go
@@ -59,7 +59,8 @@ var (
 	CheckNameNet           = "network"
 	CheckNameLimits        = "limits"
 	CheckNameSysService    = "service"
-	CheckNameSELinux       = "selinux"
+	CheckNameSELinuxConf   = "selinux_conf"
+	CheckNameSELinuxStatus = "selinux_status"
 	CheckNameCommand       = "command"
 	CheckNameFio           = "fio"
 	CheckNameTHP           = "thp"
@@ -567,10 +568,10 @@ func CheckServices(ctx context.Context, e ctxt.Executor, host, service string, d
 	return result
 }
 
-// CheckSELinux checks if SELinux is enabled on the host
-func CheckSELinux(ctx context.Context, e ctxt.Executor, sudo bool) *CheckResult {
+// CheckSELinuxConf checks if SELinux is enabled on the host
+func CheckSELinuxConf(ctx context.Context, e ctxt.Executor, sudo bool) *CheckResult {
 	result := &CheckResult{
-		Name: CheckNameSELinux,
+		Name: CheckNameSELinuxConf,
 	}
 	m := module.NewShellModule(module.ShellModuleConfig{
 		// ignore grep errors, the file may not exist for some systems
@@ -591,9 +592,33 @@ func CheckSELinux(ctx context.Context, e ctxt.Executor, sudo bool) *CheckResult
 	}
 
 	if lines > 0 {
-		result.Err = fmt.Errorf("SELinux is not disabled")
-	} else {
-		result.Msg = "SELinux is disabled"
+		result.Err = fmt.Errorf("SELinux is not configured to be disabled")
+		return result
+	}
+	result.Msg = "SELinux is disabled in configuration"
+	return result
+}
+
+// CheckSELinuxStatus checks if SELinux is enabled on the host
+func CheckSELinuxStatus(ctx context.Context, e ctxt.Executor, sudo bool) *CheckResult {
+	result := &CheckResult{
+		Name: CheckNameSELinuxStatus,
+	}
+	m := module.NewShellModule(module.ShellModuleConfig{
+		Command: "getenforce",
+		Sudo:    sudo,
+	})
+	stdout, stderr, err := m.Execute(ctx, e)
+	if err != nil {
+		result.Err = fmt.Errorf("%w %s", err, stderr)
+		return result
+	}
+	out := strings.Trim(string(stdout), "\n")
+	if out == "Enforcing" {
+		result.Err = fmt.Errorf("SELinux is in Enforcing mode, Update the configuration and reboot")
+	} else if out == "Permissive" {
+		result.Err = fmt.Errorf("SELinux is in Permissive mode, disabling is recommended")
+		result.Warn = true
 	}
 	return result
 }

diff --git a/pkg/cluster/task/check.go b/pkg/cluster/task/check.go
@@ -85,7 +85,8 @@ func (c *CheckSys) Execute(ctx context.Context) error {
 		}
 		results = append(
 			results,
-			operator.CheckSELinux(ctx, e, sudo),
+			operator.CheckSELinuxConf(ctx, e, sudo),
+			operator.CheckSELinuxStatus(ctx, e, sudo),
 			operator.CheckTHP(ctx, e, sudo),
 		)
 		storeResults(ctx, c.host, results)