From 19cc00041a977189b9e41aff458d3036d1d76bab Mon Sep 17 00:00:00 2001
From: Serena Ziviani <serena.ziviani@cern.ch>
Date: Thu, 14 Mar 2019 16:23:37 +0100
Subject: [PATCH] Also use selinuxenabled to check selinux status

Currently, the cleanup script is using the existence of the folder
/sys/fs/selinux to check if SELinux is enabled. This, however, is
misleading in case disk-image-builder is used inside a Docker
container on a selinux-enabled host. In this case, the folder exists
in the container but SELinux is disabled.

This patch addresses the problem by checking, in addition to the
check already in place, the output of the command selinuxenabled.

Change-Id: I83e58f2467e60df9f0f00f7b7a58d0e2ce357a9a
Closes-Bug: #1820077
---
 .../elements/rpm-distro/cleanup.d/99-selinux-fixfiles-restore   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/diskimage_builder/elements/rpm-distro/cleanup.d/99-selinux-fixfiles-restore b/diskimage_builder/elements/rpm-distro/cleanup.d/99-selinux-fixfiles-restore
index 0d0c9cad6..f177829ac 100755
--- a/diskimage_builder/elements/rpm-distro/cleanup.d/99-selinux-fixfiles-restore
+++ b/diskimage_builder/elements/rpm-distro/cleanup.d/99-selinux-fixfiles-restore
@@ -45,7 +45,7 @@ fi
 # for whatever policy is in the host kernel.  We will run under
 # "runcon" to specifically allow this
 _runcon=""
-if [[ -d /sys/fs/selinux ]]; then
+if [[ -d /sys/fs/selinux ]] && selinuxenabled; then
     sudo semanage permissive -a setfiles_mac_t
     _runcon="runcon -t setfiles_mac_t -- "
 fi