selinux: delay mac_selinux_enforcing call after SELinux was determined to be enabled

Calling `mac_selinux_enforcing()`, which calls `security_getenforce()`, on a SELinux disabled system causes the following error message to be printed:
    Failed to get SELinux enforced status: No such file or directory

Fixes: 257188f80ce1a083e3a88b679b898a73fecab53b ("selinux: cache enforced status and treat retrieve failure as enforced mode")
Supersedes: #15145

diff --git a/src/core/selinux-access.c b/src/core/selinux-access.c
index 008a8ba9b6aa92786a81ba83c8b286efcff9f6b1..e40898d10bc5affa4cdaa62ddb602ff1e64dcaa0 100644 (file)
--- a/src/core/selinux-access.c
+++ b/src/core/selinux-access.c
@@ -185,7 +185,7 @@ int mac_selinux_generic_access_check(
         _cleanup_free_ char *cl = NULL;
         _cleanup_freecon_ char *fcon = NULL;
         char **cmdline = NULL;
-        const bool enforce = mac_selinux_enforcing();
+        bool enforce;
         int r = 0;
 
         assert(message);
@@ -196,6 +196,9 @@ int mac_selinux_generic_access_check(
         if (r <= 0)
                 return r;
 
+        /* delay call until we checked in `access_init()` if SELinux is actually enabled */
+        enforce = mac_selinux_enforcing();
+
         r = sd_bus_query_sender_creds(
                         message,
                         SD_BUS_CREDS_PID|SD_BUS_CREDS_EUID|SD_BUS_CREDS_EGID|