diff --git a/lib/src/install.rs b/lib/src/install.rs index c40226fdd..2067a5bb6 100644 --- a/lib/src/install.rs +++ b/lib/src/install.rs @@ -732,7 +732,10 @@ pub(crate) fn reexecute_self_for_selinux_if_needed( if srcdata.selinux { let host_selinux = crate::lsm::selinux_enabled()?; tracing::debug!("Target has SELinux, host={host_selinux}"); - if host_selinux { + if override_disable_selinux { + ret_did_override = true; + println!("notice: Target has SELinux enabled, overriding to disable") + } else if host_selinux { // /sys/fs/selinuxfs is not normally mounted, so we do that now. // Because SELinux enablement status is cached process-wide and was very likely // already queried by something else (e.g. glib's constructor), we would also need @@ -741,9 +744,6 @@ pub(crate) fn reexecute_self_for_selinux_if_needed( crate::lsm::container_setup_selinux()?; // This will re-execute the current process (once). g = crate::lsm::selinux_ensure_install_or_setenforce()?; - } else if override_disable_selinux { - ret_did_override = true; - println!("notice: Target has SELinux enabled, overriding to disable") } else if std::env::var_os(skip_check_envvar).is_some() { eprintln!( "Host kernel does not have SELinux support, but target enables it by default; {} is set, continuing anyways", diff --git a/lib/src/lsm.rs b/lib/src/lsm.rs index 74c9feb90..e6bf5ed41 100644 --- a/lib/src/lsm.rs +++ b/lib/src/lsm.rs @@ -24,8 +24,9 @@ const SELF_CURRENT: &str = "/proc/self/attr/current"; #[context("Querying selinux availability")] pub(crate) fn selinux_enabled() -> Result { - let filesystems = std::fs::read_to_string("/proc/filesystems")?; - Ok(filesystems.contains("selinuxfs\n")) + Path::new("/proc/1/root/sys/fs/selinux/enforce") + .try_exists() + .map_err(Into::into) } /// Get the current process SELinux security context