lsm: exit early if the process already has install_t

There's no need to perform any additional steps if the bootc process
already has install_t.

Signed-off-by: Ondřej Budai <[email protected]>

Author: ondrejbudai

lib/src/lsm.rs

@@ -84,6 +84,10 @@ impl Drop for SetEnforceGuard {
 #[context("Ensuring selinux install_t type")]
 #[cfg(feature = "install")]
 pub(crate) fn selinux_ensure_install_or_setenforce() -> Result<Option<SetEnforceGuard>> {
+    // If the process already has install_t, exit early
+    if self_has_install_t()? {
+        return Ok(None);
+    }
     selinux_ensure_install()?;
     let current = std::fs::read_to_string("/proc/self/attr/current")
         .context("Reading /proc/self/attr/current")?;
@@ -170,3 +174,10 @@ pub(crate) fn xattrs_have_selinux(xattrs: &ostree::glib::Variant) -> bool {
     }
     false
 }
+
+fn self_has_install_t() -> Result<bool> {
+    let current = std::fs::read_to_string("/proc/self/attr/current")
+        .context("Reading /proc/self/attr/current")?;
+
+    Ok(current.contains("install_t"))
+}