fix: mount selinuxfs only when SELinux is enabled

Having selinuxfs mounted might confuse some software, as conventional Linux systems do not have selinuxfs mounted when SELinux is disabled and no policy is loaded. Fixes #10083 Signed-off-by: Dmitry Sharshakov <dmitry.sharshakov@siderolabs.com>
siderolabs · Jan 3, 2025 · 7dc3d19 · 7dc3d19
1 parent 83d84a8
commit 7dc3d19
Showing 1 changed file with 3 additions and 2 deletions.
diff --git a/internal/pkg/mount/v2/pseudo.go b/internal/pkg/mount/v2/pseudo.go
@@ -9,6 +9,7 @@ import (
 
 	"golang.org/x/sys/unix"
 
+	"github.com/siderolabs/talos/internal/pkg/selinux"
 	"github.com/siderolabs/talos/pkg/machinery/constants"
 )
 
@@ -48,8 +49,8 @@ func PseudoSubMountPoints() Points {
 		)
 	}
 
-	if _, err := os.Stat("/sys/fs/selinux"); err == nil {
-		// mount selinuxfs if it exists
+	if selinux.IsEnabled() {
+		// mount selinuxfs if it is enabled, which implies SELinux is the major LSM
 		points = append(points,
 			NewPoint("selinuxfs", "/sys/fs/selinux", "selinuxfs", WithFlags(unix.MS_NOSUID|unix.MS_NOEXEC|unix.MS_RELATIME)),
 		)