From 9bcfc5dc9f0a5487c7e20b7275da6293a105bad0 Mon Sep 17 00:00:00 2001
From: Demi Marie Obenour <athena@invisiblethingslab.com>
Date: Mon, 14 Dec 2020 12:47:37 -0500
Subject: [PATCH] Allow SELinux to stay enabled

Users who have their own SELinux policies should be able to keep QubesOS
from disabling SELinux.
---
 rpm_spec/core-agent.spec.in | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/rpm_spec/core-agent.spec.in b/rpm_spec/core-agent.spec.in
index 17720ab..6074ed0 100644
--- a/rpm_spec/core-agent.spec.in
+++ b/rpm_spec/core-agent.spec.in
@@ -492,10 +492,15 @@ fi
 exit 0
 
 %triggerin -- selinux-policy
-#echo "--> Disabling SELinux..."
-sed -e s/^SELINUX=.*$/SELINUX=disabled/ </etc/selinux/config >/etc/selinux/config.processed
-mv /etc/selinux/config.processed /etc/selinux/config
-setenforce 0 2>/dev/null
+
+. /usr/lib/qubes/init/functions
+
+if ! is_protected_file /etc/selinux/config; then
+    echo "--> Disabling SELinux..."
+    sed -e s/^SELINUX=.*$/SELINUX=disabled/ </etc/selinux/config >/etc/selinux/config.processed
+    mv /etc/selinux/config.processed /etc/selinux/config
+    setenforce 0 2>/dev/null
+fi
 exit 0
 
 %post network-manager