From: Antonio Alvarez Feijoo <antonio.feijoo@suse.com>
Date: Tue, 12 Sep 2023 13:07:16 +0000 (+0200)
Subject: fix(dracut-initramfs-restore.sh): do not set selinux labels if disabled
X-Git-Url: http://git.ipfire.org/gitweb/gitweb.cgi?a=commitdiff_plain;h=4d594210d6ef4f04a9dbadacea73e9461ded352d;p=thirdparty%2Fdracut.git

fix(dracut-initramfs-restore.sh): do not set selinux labels if disabled

Also, it's not enough to check if `SELINUX=disabled` in /etc/selinux/config,
because it can be disabled via kernel command line options.
---

diff --git a/dracut-initramfs-restore.sh b/dracut-initramfs-restore.sh
index 412c3a827..995e13a0d 100755
--- a/dracut-initramfs-restore.sh
+++ b/dracut-initramfs-restore.sh
@@ -75,9 +75,12 @@ if [[ -d squash ]]; then
     fi
 fi
 
-if [ -e /etc/selinux/config -a -x /usr/sbin/setfiles ]; then
+if grep -q -w selinux /sys/kernel/security/lsm 2> /dev/null \
+    && [ -e /etc/selinux/config -a -x /usr/sbin/setfiles ]; then
     . /etc/selinux/config
-    [ -n "${SELINUXTYPE}" ] && /usr/sbin/setfiles -v -r /run/initramfs /etc/selinux/"${SELINUXTYPE}"/contexts/files/file_contexts /run/initramfs > /dev/null
+    if [[ $SELINUX != "disabled" && -n $SELINUXTYPE ]]; then
+        /usr/sbin/setfiles -v -r /run/initramfs /etc/selinux/"${SELINUXTYPE}"/contexts/files/file_contexts /run/initramfs > /dev/null
+    fi
 fi
 
 exit 0