diff --git a/lib/src/install.rs b/lib/src/install.rs
index b6c91c44..4a754d86 100644
--- a/lib/src/install.rs
+++ b/lib/src/install.rs
@@ -1442,14 +1442,18 @@ pub(crate) async fn install_to_filesystem(
         anyhow::bail!("Not a mountpoint: {root_path}");
     }
 
+    // Gather global state, destructuring the provided options.
+    // IMPORTANT: We might re-execute the current process in this function (for SELinux among other things)
+    // IMPORTANT: and hence anything that is done before MUST BE IDEMPOTENT.
+    // IMPORTANT: In practice, we should only be gathering information before this point,
+    // IMPORTANT: and not performing any mutations at all.
+    let state = prepare_install(opts.config_opts, opts.source_opts, opts.target_opts).await?;
+
     // Check to see if this happens to be the real host root
     if !fsopts.acknowledge_destructive {
         warn_on_host_root(&rootfs_fd)?;
     }
 
-    // Gather global state, destructuring the provided options
-    let state = prepare_install(opts.config_opts, opts.source_opts, opts.target_opts).await?;
-
     match fsopts.replace {
         Some(ReplaceMode::Wipe) => {
             let rootfs_fd = rootfs_fd.try_clone()?;