From 3c421c240dc6bf980ee2a612e0ecf55b95d992a7 Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <concord@gentoo.org>
Date: Tue, 13 Jun 2023 18:58:26 -0400
Subject: [PATCH] unix_integration: also check running SELinux mode (#1704)

For kanidm_unixd_tasks, check the current SELinux mode in addition to
kernel support. If SELinux is disabled at runtime, any attempts to query
the policy will fail, so also disable SELinux features if this is the
case.

Signed-off-by: Kenton Groombridge <concord@gentoo.org>
---
 unix_integration/src/selinux_util.rs | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/unix_integration/src/selinux_util.rs b/unix_integration/src/selinux_util.rs
index 04b415af4..9aa5e7a76 100644
--- a/unix_integration/src/selinux_util.rs
+++ b/unix_integration/src/selinux_util.rs
@@ -1,9 +1,19 @@
 use std::ffi::CString;
 
-use selinux::{kernel_support, label::back_end::File, label::Labeler, KernelSupport};
+use selinux::{
+    current_mode, kernel_support, label::back_end::File, label::Labeler, KernelSupport, SELinuxMode,
+};
 
 pub fn supported() -> bool {
-    return !matches!(kernel_support(), KernelSupport::Unsupported);
+    // check if the running kernel has SELinux support
+    if matches!(kernel_support(), KernelSupport::Unsupported) {
+        return false;
+    }
+    // check if SELinux is actually running
+    match current_mode() {
+        SELinuxMode::Permissive | SELinuxMode::Enforcing => true,
+        _ => false,
+    }
 }
 
 pub fn get_labeler() -> Result<Labeler<File>, String> {