From d68f77169f19f859b81cb55085d732c6cbaa8558 Mon Sep 17 00:00:00 2001
From: ckyrouac <ckyrouac@redhat.com>
Date: Wed, 14 Feb 2024 08:25:03 -0500
Subject: [PATCH 1/2] lsm: Look for selinuxfs mounted on host

This ensures we handle the case where SELinux is compile in the kernel
(e.g. Fedora) but where it's disabled at runtime via selinux=0.

fixes #303

Signed-off-by: ckyrouac <ckyrouac@redhat.com>
---
 lib/src/lsm.rs | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/lib/src/lsm.rs b/lib/src/lsm.rs
index 74c9feb90..e6bf5ed41 100644
--- a/lib/src/lsm.rs
+++ b/lib/src/lsm.rs
@@ -24,8 +24,9 @@ const SELF_CURRENT: &str = "/proc/self/attr/current";
 
 #[context("Querying selinux availability")]
 pub(crate) fn selinux_enabled() -> Result<bool> {
-    let filesystems = std::fs::read_to_string("/proc/filesystems")?;
-    Ok(filesystems.contains("selinuxfs\n"))
+    Path::new("/proc/1/root/sys/fs/selinux/enforce")
+        .try_exists()
+        .map_err(Into::into)
 }
 
 /// Get the current process SELinux security context

From 3921b719894c67856e0c2b35d7cb3a794ff35d91 Mon Sep 17 00:00:00 2001
From: ckyrouac <ckyrouac@redhat.com>
Date: Wed, 14 Feb 2024 08:31:29 -0500
Subject: [PATCH 2/2] install: Make --disable-selinux always override host
 state

If the user disables SELinux, we should always honor that and not care
about the host state.

fixes: #303

Signed-off-by: ckyrouac <ckyrouac@redhat.com>
---
 lib/src/install.rs | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/lib/src/install.rs b/lib/src/install.rs
index c40226fdd..2067a5bb6 100644
--- a/lib/src/install.rs
+++ b/lib/src/install.rs
@@ -732,7 +732,10 @@ pub(crate) fn reexecute_self_for_selinux_if_needed(
     if srcdata.selinux {
         let host_selinux = crate::lsm::selinux_enabled()?;
         tracing::debug!("Target has SELinux, host={host_selinux}");
-        if host_selinux {
+        if override_disable_selinux {
+            ret_did_override = true;
+            println!("notice: Target has SELinux enabled, overriding to disable")
+        } else if host_selinux {
             // /sys/fs/selinuxfs is not normally mounted, so we do that now.
             // Because SELinux enablement status is cached process-wide and was very likely
             // already queried by something else (e.g. glib's constructor), we would also need
@@ -741,9 +744,6 @@ pub(crate) fn reexecute_self_for_selinux_if_needed(
             crate::lsm::container_setup_selinux()?;
             // This will re-execute the current process (once).
             g = crate::lsm::selinux_ensure_install_or_setenforce()?;
-        } else if override_disable_selinux {
-            ret_did_override = true;
-            println!("notice: Target has SELinux enabled, overriding to disable")
         } else if std::env::var_os(skip_check_envvar).is_some() {
             eprintln!(
                 "Host kernel does not have SELinux support, but target enables it by default; {} is set, continuing anyways",