From 413e68ee9637de51e86cfe9d4d7e4b3f50cfc841 Mon Sep 17 00:00:00 2001
From: Colin Walters <walters@verbum.org>
Date: Tue, 17 Sep 2024 11:41:21 -0400
Subject: [PATCH] install: Drop SELinux-disabled warning

We have e2e tests for this today. On a related topic, unfortunately
the way bootc-image-builder sets up the container it runs bootc
in it doesn't mount selinuxfs, so we see SELinux as disabled
when it's not.

We should fix that, but it also avoids user confusion to
drop the warning here.

While we're here, change things so we more consistently
log the state computed.

Closes: https://github.com/containers/bootc/issues/419
Signed-off-by: Colin Walters <walters@verbum.org>
---
 lib/src/install.rs | 7 ++-----
 lib/src/lsm.rs     | 1 +
 2 files changed, 3 insertions(+), 5 deletions(-)

diff --git a/lib/src/install.rs b/lib/src/install.rs
index e5dad701..d244f5a9 100644
--- a/lib/src/install.rs
+++ b/lib/src/install.rs
@@ -894,6 +894,7 @@ impl RootSetup {
     }
 }
 
+#[derive(Debug)]
 pub(crate) enum SELinuxFinalState {
     /// Host and target both have SELinux, but user forced it off for target
     ForceTargetDisabled,
@@ -952,15 +953,10 @@ pub(crate) fn reexecute_self_for_selinux_if_needed(
             let g = crate::lsm::selinux_ensure_install_or_setenforce()?;
             SELinuxFinalState::Enabled(g)
         } else {
-            // This used to be a hard error, but is now a mild warning
-            crate::utils::medium_visibility_warning(
-                "Host kernel does not have SELinux support, but target enables it by default; this is less well tested.  See https://github.com/containers/bootc/issues/419",
-            );
             SELinuxFinalState::HostDisabled
         };
         Ok(r)
     } else {
-        tracing::debug!("Target does not enable SELinux");
         Ok(SELinuxFinalState::Disabled)
     }
 }
@@ -1227,6 +1223,7 @@ async fn prepare_install(
 
     // Now, deal with SELinux state.
     let selinux_state = reexecute_self_for_selinux_if_needed(&source, config_opts.disable_selinux)?;
+    tracing::debug!("SELinux state: {selinux_state:?}");
 
     println!("Installing image: {:#}", &target_imgref);
     if let Some(digest) = source.digest.as_deref() {
diff --git a/lib/src/lsm.rs b/lib/src/lsm.rs
index d22dcca2..773616d7 100644
--- a/lib/src/lsm.rs
+++ b/lib/src/lsm.rs
@@ -99,6 +99,7 @@ pub(crate) fn selinux_ensure_install() -> Result<bool> {
 /// gain the `mac_admin` permission (install_t).
 #[cfg(feature = "install")]
 #[must_use]
+#[derive(Debug)]
 pub(crate) struct SetEnforceGuard(Option<()>);
 
 #[cfg(feature = "install")]