From bab50e162ed829d18dc06da8639392f467b84486 Mon Sep 17 00:00:00 2001
From: Colin Walters <walters@verbum.org>
Date: Fri, 22 Mar 2024 12:34:55 -0400
Subject: [PATCH] install: Change no-SELinux -> SELinux to a warning

We believe we have almost all the labeling work here covered,
so degrade this to a warning.

Signed-off-by: Colin Walters <walters@verbum.org>
---
 .github/workflows/ci.yml |  2 +-
 lib/src/install.rs       | 14 +++-----------
 2 files changed, 4 insertions(+), 12 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 90b39f556..bb022e863 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -143,6 +143,6 @@ jobs:
           # TODO fix https://github.com/containers/bootc/pull/137
           sudo chattr -i /ostree/deploy/default/deploy/*
           sudo rm /ostree/deploy/default -rf
-          sudo podman run --rm -ti --privileged --env BOOTC_SKIP_SELINUX_HOST_CHECK=1 --env RUST_LOG=debug -v /:/target -v /var/lib/containers:/var/lib/containers -v ./usr/bin/bootc:/usr/bin/bootc --pid=host --security-opt label=disable \
+          sudo podman run --rm -ti --privileged --env RUST_LOG=debug -v /:/target -v /var/lib/containers:/var/lib/containers -v ./usr/bin/bootc:/usr/bin/bootc --pid=host --security-opt label=disable \
             ${image} bootc install to-existing-root
           sudo podman run --rm -ti --privileged -v /:/target -v ./usr/bin/bootc:/usr/bin/bootc --pid=host --security-opt label=disable ${image} bootc internal-tests verify-selinux /target/ostree --warn
diff --git a/lib/src/install.rs b/lib/src/install.rs
index 96002fb62..08a582117 100644
--- a/lib/src/install.rs
+++ b/lib/src/install.rs
@@ -788,10 +788,6 @@ pub(crate) fn reexecute_self_for_selinux_if_needed(
     let mut ret_did_override = false;
     // If the target state has SELinux enabled, we need to check the host state.
     let mut g = None;
-    // We don't currently quite support installing SELinux enabled systems
-    // from SELinux disabled hosts, but this environment variable can be set
-    // to test it out anyways.
-    let skip_check_envvar = "BOOTC_SKIP_SELINUX_HOST_CHECK";
     if srcdata.selinux {
         let host_selinux = crate::lsm::selinux_enabled()?;
         tracing::debug!("Target has SELinux, host={host_selinux}");
@@ -807,14 +803,10 @@ pub(crate) fn reexecute_self_for_selinux_if_needed(
             setup_sys_mount("selinuxfs", SELINUXFS)?;
             // This will re-execute the current process (once).
             g = crate::lsm::selinux_ensure_install_or_setenforce()?;
-        } else if std::env::var_os(skip_check_envvar).is_some() {
-            eprintln!(
-                "Host kernel does not have SELinux support, but target enables it by default; {} is set, continuing anyways",
-                skip_check_envvar
-            );
         } else {
-            anyhow::bail!(
-                "Host kernel does not have SELinux support, but target enables it by default"
+            // This used to be a hard error, but is now a mild warning
+            crate::utils::medium_visibility_warning(
+                "Host kernel does not have SELinux support, but target enables it by default; this is less well tested.  See https://github.com/containers/bootc/issues/419",
             );
         }
     } else {