Bear with me please, because i might not fully grasp the issue (i received help with diagnosing this issue):

This commit causes issues (and is, i think, a lousy hack): e3cab998b48ab293a9962faf9779d70ca339c65d

The commit causes entities to "think" that SELinux is disabled after "mount -o remount,ro /sys/fs/selinux

It is "neat" to be able to make processes "think" that selinux is disabled on a selinux enabled system but not if it break anything

The above results in the following:

Systemd services that have ProtectKernelTunables=yes set in their respective service units, think that SELinux is disabled.

However we have found that some of these services actually rely on SELinux to ensure proper labeling.

So we have the option to make people aware that if you set ProtectKernelTunables=yes that then the process cannot be SELinux-aware properly, or we can just get rid of the commit above and just accept that process know that SELinux is enabled.

Actual bug that caused me to look into this: systemd-localed selinux awareness is broken due it having ProtectKernelTunables=yes in its service unit


-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift