From 330ada0a34924ed2e6e52ac99e7a1db39b9553cc Mon Sep 17 00:00:00 2001
From: Kurt H Maier <khm@pnnl.gov>
Date: Wed, 1 May 2019 13:23:10 -0700
Subject: [PATCH 1/2] probe_utils:  add check to see if selinux is enforcing
 (not just enabled)

---
 xCAT-probe/lib/perl/probe_utils.pm | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)

diff --git a/xCAT-probe/lib/perl/probe_utils.pm b/xCAT-probe/lib/perl/probe_utils.pm
index 115814943..c45fc753b 100644
--- a/xCAT-probe/lib/perl/probe_utils.pm
+++ b/xCAT-probe/lib/perl/probe_utils.pm
@@ -240,6 +240,33 @@ sub is_selinux_enable {
 
 #------------------------------------------
 
+=head3
+    Description:
+        Test if SELinux is enforcing in current operating system
+    Arguments:
+         None
+    Returns:
+        1 : yes
+        0 : no
+=cut
+
+#------------------------------------------
+sub is_selinux_enforcing {
+    if (-e "/usr/sbin/getenforce") {
+        my $enforce_mode = `/usr/sbin/getenforce`;
+        chomp $enforce_mode;
+        switch ($enforce_mode) {
+          case "Disabled" { return 0; }
+          case "Permissive" { return 0; }
+          case "Enforcing" { return 1; }
+          else { return 0; }
+    } else {
+        return 0;
+    }
+}
+
+#------------------------------------------
+
 =head3
     Description:
         Test if firewall is opened in current operating system

From 761eb497ca5d0365f8a1db47a5b24c05bcc62746 Mon Sep 17 00:00:00 2001
From: Kurt H Maier <khm@pnnl.gov>
Date: Wed, 1 May 2019 13:23:53 -0700
Subject: [PATCH 2/2] xcatprobe xcatmn:  warn on selinux permissive, fail on
 selinux enforcing

---
 xCAT-probe/subcmds/xcatmn | 21 ++++++++++++++++-----
 1 file changed, 16 insertions(+), 5 deletions(-)

diff --git a/xCAT-probe/subcmds/xcatmn b/xCAT-probe/subcmds/xcatmn
index 76b23458d..79b986a42 100755
--- a/xCAT-probe/subcmds/xcatmn
+++ b/xCAT-probe/subcmds/xcatmn
@@ -93,8 +93,9 @@ sub do_main_job {
     $rc |= $rst;
 
     #check if SElinux is disabled
-    $rst        = check_selinux(\$checkpoint, \@error);
-    print_check_result($checkpoint, "f", $rst, \@error);
+    ($rst, $flag) = check_selinux(\$checkpoint, \@error);
+    print_check_result($checkpoint, $flag, $rst, \@error);
+    $rst = 0 if ($flag == "w");
     $rc |= $rst;
 
     #check http service
@@ -677,16 +678,26 @@ sub check_selinux {
     my $checkpoint_ref =  shift;
     my $error_ref = shift;
     my $rst       = 0;
+    my $flag      = "w";
+    my $msg       = "";
 
     $$checkpoint_ref = "Checking SELinux is disabled...";
     @$error_ref = ();
 
     if (probe_utils->is_selinux_enable()) {
-        push @$error_ref, "SELinux is enabled on current server";
+        $msg = "SELinux is enabled on current server";
         $rst = 1;
+        $flag = "w";
     }
-
-    return $rst;
+    if (probe_utils->is_selinux_enforcing()) {
+        $msg = "SELinux is enforcing on current server";
+        $rst = 1;
+        $flag = "f";
+    }
+    if ($rst) { 
+        push @error_ref, "$msg";
+    }
+    return ($rst, $flag);
 }
 
 sub check_firewall {