tests/readonly: Add SELinux enforcing check

Verify that SELinux is in enforcing mode at the start of the readonly
test suite. This catches accidental regressions where test images
ship with permissive mode or enforcing=0 on the kernel command line.

The check is skipped for composefs upgrade tests where enforcing=0
is intentionally needed due to the base image SELinux policy not yet
covering composefs file contexts.

Assisted-by: OpenCode (Claude claude-opus-4-6)
Signed-off-by: Colin Walters <walters@verbum.org>

Author: cgwalters

tmt/tests/booted/readonly/000-test-selinux-enforcing.nu

@@ -0,0 +1,21 @@
+use std assert
+use tap.nu
+
+tap begin "verify SELinux is enforcing"
+
+# Composefs upgrade source images boot with enforcing=0 because the
+# base image's SELinux policy doesn't yet cover composefs file contexts.
+# Skip this check in that case.
+let upgrade_image = $env.BOOTC_test_upgrade_image? | default ""
+let is_composefs = (tap is_composefs)
+if $upgrade_image != "" and $is_composefs {
+    print "# skip: composefs upgrade boots with enforcing=0 (base image SELinux policy gap)"
+    tap ok
+    exit 0
+}
+
+let enforce = (open /sys/fs/selinux/enforce | str trim)
+assert equal $enforce "1" "SELinux should be in enforcing mode"
+print "SELinux is enforcing"
+
+tap ok