{"description": "To ensure SELinux is not disabled at boot time,\ncheck that no boot entry in <tt>/boot/loader/entries/*.conf</tt> has <tt>selinux=0</tt>\nincluded in its options.<br />", "rationale": "Disabling a major host protection feature, such as SELinux, at boot time prevents\nit from confining system services at boot time.  Further, it increases\nthe chances that it will remain off during system operation.", "severity": "medium", "references": {}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "SELinux is disabled at boot time", "ocil": "To check that SELinux is not disabled at boot time;\nCheck that no boot entry disables selinux:\n<pre>sudo grep -L \"^options\\s+.*\\bselinux=0\\b\" /boot/loader/entries/*.conf</pre>\nNo line should be returned, each line returned is a boot entry that disables SELinux.", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": "machine", "platforms": ["machine"], "sce_metadata": {}, "inherited_platforms": ["s390x_arch"], "cpe_platform_names": ["machine"], "inherited_cpe_platform_names": ["s390x_arch"], "bash_conditional": null, "fixes": {}, "title": "Ensure SELinux Not Disabled in zIPL", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml", "template": null}