From 9df86a04b94c48e3bf73d8de8a91f77ac518ab90 Mon Sep 17 00:00:00 2001
From: Steve Baker <sbaker@redhat.com>
Date: Fri, 9 Jan 2026 14:56:28 +1300
Subject: [PATCH] bootc install: Treat SELinux Permissive like Enforcing

Currently Permissive is treated like Disabled for bootc install which
means the written operating system will also have SELinux disabled.

This change treats Permissive like Enforcing, with the assumption that
Permissive is "enough" SELinux enforcement for bootc install.

Likely all IPA builds on SELinux distros are set to Permissive[1], which
means it is currently not practical to provision a SELinux enabled bootc
system.

[1] https://opendev.org/openstack/ironic-python-agent-builder/src/branch/master/dib/ironic-ramdisk-base/element-deps#L3

Change-Id: Id8a049b242a8c7e38103afc988749ecb2a787ce4
Signed-off-by: Steve Baker <sbaker@redhat.com>
---
 ironic_python_agent/extensions/standby.py     |  3 +-
 .../tests/unit/extensions/test_standby.py     | 52 ++++++++++++++++++-
 2 files changed, 52 insertions(+), 3 deletions(-)

diff --git a/ironic_python_agent/extensions/standby.py b/ironic_python_agent/extensions/standby.py
index 667aff507..31d705dc4 100644
--- a/ironic_python_agent/extensions/standby.py
+++ b/ironic_python_agent/extensions/standby.py
@@ -1259,7 +1259,8 @@ class StandbyExtension(base.BaseAgentExtension):
         selinux = False
         try:
             stdout, _ = utils.execute("getenforce", use_standard_locale=True)
-            if stdout.startswith('Enforcing'):
+            if (stdout.startswith('Enforcing')
+                or stdout.startswith('Permissive')):
                 selinux = True
         except (processutils.ProcessExecutionError,
                 errors.CommandExecutionError,
diff --git a/ironic_python_agent/tests/unit/extensions/test_standby.py b/ironic_python_agent/tests/unit/extensions/test_standby.py
index 1fd043086..29acdacc4 100644
--- a/ironic_python_agent/tests/unit/extensions/test_standby.py
+++ b/ironic_python_agent/tests/unit/extensions/test_standby.py
@@ -1839,7 +1839,7 @@ class TestStandbyExtension(base.IronicAgentTest):
     @mock.patch.object(standby.StandbyExtension,
                        '_write_no_pivot_root',
                        autospec=True)
-    def test__download_container_and_bootc_install(
+    def test__download_container_and_bootc_install_enforcing_selinux(
             self,
             no_pivot_mock,
             write_container_auth_mock,
@@ -1875,6 +1875,54 @@ class TestStandbyExtension(base.IronicAgentTest):
                 '/dev/fake', use_standard_locale=True)
         ])
 
+    @mock.patch('ironic_python_agent.utils.execute', autospec=True)
+    @mock.patch.object(disk_utils, 'get_dev_byte_size',
+                       autospec=True)
+    @mock.patch.object(standby.StandbyExtension,
+                       '_write_authorized_keys',
+                       autospec=True)
+    @mock.patch.object(standby.StandbyExtension,
+                       '_write_container_auth',
+                       autospec=True)
+    @mock.patch.object(standby.StandbyExtension,
+                       '_write_no_pivot_root',
+                       autospec=True)
+    def test__download_container_and_bootc_install_permissive_selinux(
+            self,
+            no_pivot_mock,
+            write_container_auth_mock,
+            write_authorized_keys_mock,
+            get_size_mock,
+            execute_mock):
+        get_size_mock.return_value = 2000000000
+        execute_mock.side_effect = iter([
+            (('Permissive\n'), ()),
+            ((), ())])
+        write_authorized_keys_mock.return_value = '/tmp/fake/file'
+        self.agent_extension._download_container_and_bootc_install(
+            'oci://foo/container', '/dev/fake', 'secret', False, 'keys!')
+        no_pivot_mock.assert_called_once()
+        write_container_auth_mock.assert_called_once_with(mock.ANY,
+                                                          'secret',
+                                                          'foo')
+        get_size_mock.assert_called_once_with('/dev/fake')
+        execute_mock.assert_has_calls([
+            mock.call('getenforce', use_standard_locale=True),
+            mock.call(
+                'podman', '--log-level=debug', 'run', '--rm',
+                '--privileged',
+                '--pid=host',
+                '-v', '/var/lib/containers:/var/lib/containers',
+                '-v', '/dev:/dev', '--retry-delay=5s',
+                '--authfile=/root/.config/containers/auth.json',
+                '-v', '/tmp:/tmp', '--security-opt',
+                'label=type:unconfined_t', 'foo/container',
+                'bootc', 'install', 'to-disk', '--wipe',
+                '--skip-fetch-check', '--root-size=1139M',
+                '--root-ssh-authorized-keys=/tmp/fake/file',
+                '/dev/fake', use_standard_locale=True)
+        ])
+
     @mock.patch('ironic_python_agent.utils.execute', autospec=True)
     @mock.patch.object(disk_utils, 'get_dev_byte_size',
                        autospec=True)
@@ -1946,7 +1994,7 @@ class TestStandbyExtension(base.IronicAgentTest):
         get_size_mock.return_value = 15000000000
         execute_mock.side_effect = iter([
             OSError(),
-            ((), ())])
+            (('Disabled'), ())])
         write_authorized_keys_mock.return_value = '/tmp/fake/file'
 
         self.agent_extension._download_container_and_bootc_install(