ks: SELinux permissive at build (PCRE2 mismatch); enforcing+relabel at first boot

kickstart/veilor-os.ks

@@ -15,7 +15,11 @@ timezone Europe/London --utc
 # Note: no display mode (text/graphical/cmdline) — livemedia-creator forbids.
 firstboot --disable
 eula --agreed
-selinux --enforcing
+# Build-time SELinux disabled to avoid PCRE2 regex version mismatch between
+# host libselinux and chroot's selinux-policy file_contexts.bin (pcre2 10.46
+# vs 10.47). veilor-firstboot.service triggers `fixfiles -F onboot` and
+# `setenforce 1` on first boot to re-enable enforcing mode.
+selinux --permissive
 services --enabled=sshd,fail2ban,usbguard,tuned,auditd,firewalld,chronyd,sddm,veilor-firstboot,veilor-modules-lock
 
 # ── Network / hostname ──

overlay/usr/local/sbin/veilor-firstboot

@@ -40,7 +40,14 @@ touch "$STATE"
 systemctl disable veilor-firstboot.service >/dev/null 2>&1 || true
 
 echo
-echo "  Password set. Starting graphical session..."
+echo "  Password set."
+echo "  Re-enabling SELinux enforcing mode..."
+
+# Re-enable SELinux (build-time disabled to bypass pcre2/regex mismatch).
+# Set to enforcing for next boot, schedule full relabel.
+sed -i 's/^SELINUX=.*/SELINUX=enforcing/' /etc/selinux/config 2>/dev/null
+touch /.autorelabel 2>/dev/null
+echo "  Starting graphical session..."
 sleep 2
 
 # Start SDDM (was held back by service ordering)