From 4d594210d6ef4f04a9dbadacea73e9461ded352d Mon Sep 17 00:00:00 2001
From: Antonio Alvarez Feijoo <antonio.feijoo@suse.com>
Date: Tue, 12 Sep 2023 15:07:16 +0200
Subject: [PATCH] fix(dracut-initramfs-restore.sh): do not set selinux labels
 if disabled

Also, it's not enough to check if `SELINUX=disabled` in /etc/selinux/config,
because it can be disabled via kernel command line options.
---
 dracut-initramfs-restore.sh | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/dracut-initramfs-restore.sh b/dracut-initramfs-restore.sh
index 412c3a8279..995e13a0d5 100755
--- a/dracut-initramfs-restore.sh
+++ b/dracut-initramfs-restore.sh
@@ -75,9 +75,12 @@ if [[ -d squash ]]; then
     fi
 fi
 
-if [ -e /etc/selinux/config -a -x /usr/sbin/setfiles ]; then
+if grep -q -w selinux /sys/kernel/security/lsm 2> /dev/null \
+    && [ -e /etc/selinux/config -a -x /usr/sbin/setfiles ]; then
     . /etc/selinux/config
-    [ -n "${SELINUXTYPE}" ] && /usr/sbin/setfiles -v -r /run/initramfs /etc/selinux/"${SELINUXTYPE}"/contexts/files/file_contexts /run/initramfs > /dev/null
+    if [[ $SELINUX != "disabled" && -n $SELINUXTYPE ]]; then
+        /usr/sbin/setfiles -v -r /run/initramfs /etc/selinux/"${SELINUXTYPE}"/contexts/files/file_contexts /run/initramfs > /dev/null
+    fi
 fi
 
 exit 0