condition: add ConditionSecurity

Using ConditionSecurity a unit can depend on a security module being
enabled/disabled. For now the only recognized security module is SELinux.

I'd like to use this feature for a unit that creates /.autorelabel if
SELinux is disabled, to ensure a relabel is done automatically when the
system is later rebooted with SELinux enabled.

1 files changed, 16 insertions, 0 deletions

diff --git a/src/condition.c b/src/condition.c
index 5ab77d80f8..ee0809f76d 100644
--- a/src/condition.c
+++ b/src/condition.c
@@ -24,6 +24,10 @@
 #include <string.h>
 #include <unistd.h>
 
+#ifdef HAVE_SELINUX
+#include <selinux/selinux.h>
+#endif
+
 #include "util.h"
 #include "condition.h"
 
@@ -128,6 +132,14 @@ static bool test_virtualization(const char *parameter) {
         return streq(parameter, id);
 }
 
+static bool test_security(const char *parameter) {
+#ifdef HAVE_SELINUX
+        if (!strcasecmp(parameter, "SELinux"))
+                return is_selinux_enabled() > 0;
+#endif
+        return false;
+}
+
 bool condition_test(Condition *c) {
         assert(c);
 
@@ -157,6 +169,9 @@ bool condition_test(Condition *c) {
         case CONDITION_VIRTUALIZATION:
                 return test_virtualization(c->parameter) == !c->negate;
 
+        case CONDITION_SECURITY:
+                return test_security(c->parameter) == !c->negate;
+
         case CONDITION_NULL:
                 return !c->negate;
 
@@ -220,6 +235,7 @@ static const char* const condition_type_table[_CONDITION_TYPE_MAX] = {
         [CONDITION_DIRECTORY_NOT_EMPTY] = "ConditionDirectoryNotEmpty",
         [CONDITION_KERNEL_COMMAND_LINE] = "ConditionKernelCommandLine",
         [CONDITION_VIRTUALIZATION] = "ConditionVirtualization",
+        [CONDITION_SECURITY] = "ConditionSecurity",
         [CONDITION_NULL] = "ConditionNull"
 };