--- coreutils-9.5.orig/src/cp.c
+++ coreutils-9.5/src/cp.c
@@ -994,7 +992,7 @@
 
   atexit (close_stdin);
 
-  selinux_enabled = (0 < is_selinux_enabled ());
+  selinux_enabled = (0 < is_selinux_enabled () && geteuid () == 0);
   cp_option_init (&x);
 
   while ((c = getopt_long (argc, argv, "abdfHilLnprst:uvxPRS:TZ",
@@ -1201,7 +1197,7 @@
             {
               error (0, 0,
                      _("warning: ignoring --context; "
-                       "it requires an SELinux-enabled kernel"));
+                       "it requires an SELinux-enabled kernel and root access"));
             }
           break;
 
@@ -1277,7 +1273,7 @@
   if (x.require_preserve_context && ! selinux_enabled)
     error (EXIT_FAILURE, 0,
            _("cannot preserve security context "
-             "without an SELinux-enabled kernel"));
+             "without an SELinux-enabled kernel and root access"));
 
   /* FIXME: This handles new files.  But what about existing files?
      I.e., if updating a tree, new files would have the specified context,
--- coreutils-9.5.orig/src/mkdir.c
+++ coreutils-9.5/src/mkdir.c
@@ -228,7 +228,7 @@
               /* We don't yet support -Z to restore context with SMACK.  */
               scontext = optarg;
             }
-          else if (is_selinux_enabled () > 0)
+          else if (is_selinux_enabled () > 0 && geteuid () == 0)
             {
               if (optarg)
                 scontext = optarg;
@@ -244,7 +244,7 @@
             {
               error (0, 0,
                      _("warning: ignoring --context; "
-                       "it requires an SELinux/SMACK-enabled kernel"));
+                       "it requires an SELinux/SMACK-enabled kernel and root access"));
             }
           break;
         case_GETOPT_HELP_CHAR;
--- coreutils-9.5.orig/src/mkfifo.c
+++ coreutils-9.5/src/mkfifo.c
@@ -102,7 +102,7 @@
               /* We don't yet support -Z to restore context with SMACK.  */
               scontext = optarg;
             }
-          else if (is_selinux_enabled () > 0)
+          else if (is_selinux_enabled () > 0 && geteuid () == 0)
             {
               if (optarg)
                 scontext = optarg;
@@ -118,7 +118,7 @@
             {
               error (0, 0,
                      _("warning: ignoring --context; "
-                       "it requires an SELinux/SMACK-enabled kernel"));
+                       "it requires an SELinux/SMACK-enabled kernel and root access"));
             }
           break;
         case_GETOPT_HELP_CHAR;
--- coreutils-9.5.orig/src/mknod.c
+++ coreutils-9.5/src/mknod.c
@@ -119,7 +119,7 @@
               /* We don't yet support -Z to restore context with SMACK.  */
               scontext = optarg;
             }
-          else if (is_selinux_enabled () > 0)
+          else if (is_selinux_enabled () > 0 && geteuid () == 0)
             {
               if (optarg)
                 scontext = optarg;
@@ -135,7 +135,7 @@
             {
               error (0, 0,
                      _("warning: ignoring --context; "
-                       "it requires an SELinux/SMACK-enabled kernel"));
+                       "it requires an SELinux/SMACK-enabled kernel and root access"));
             }
           break;
         case_GETOPT_HELP_CHAR;
--- coreutils-9.5.orig/src/mv.c
+++ coreutils-9.5/src/mv.c
@@ -120,7 +120,7 @@
 static void
 cp_option_init (struct cp_options *x)
 {
-  bool selinux_enabled = (0 < is_selinux_enabled ());
+  bool selinux_enabled = (0 < is_selinux_enabled () && geteuid () == 0);
 
   cp_options_default (x);
   x->copy_as_regular = false;  /* FIXME: maybe make this an option */
@@ -326,7 +326,7 @@
   bool no_target_directory = false;
   int n_files;
   char **file;
-  bool selinux_enabled = (0 < is_selinux_enabled ());
+  bool selinux_enabled = (0 < is_selinux_enabled () && geteuid () == 0);
   bool no_clobber = false;
 
   initialize_main (&argc, &argv);
--- coreutils-9.5.orig/src/runcon.c
+++ coreutils-9.5/src/runcon.c
@@ -190,8 +190,8 @@
       usage (EXIT_CANCELED);
     }
 
-  if (is_selinux_enabled () != 1)
-    error (EXIT_CANCELED, 0, _("%s may be used only on a SELinux kernel"),
+  if (is_selinux_enabled () != 1 || geteuid () != 0)
+    error (EXIT_CANCELED, 0, _("%s may be used only on a SELinux kernel and must be run as root"),
            program_name);
 
   if (context)
--- coreutils-9.5.orig/src/install.c
+++ coreutils-9.5/src/install.c
@@ -325,6 +325,9 @@
   struct stat st;
   char *scontext_raw = nullptr;
 
+  /* FIXME: Return early for now until a suitable workaround has been found */
+  return;
+
   if (selinux_enabled != 1)
     {
       /* Indicate no context found. */
@@ -789,7 +792,7 @@
   bool strip_program_specified = false;
   char const *scontext = nullptr;
   /* set iff kernel has extra selinux system calls */
-  selinux_enabled = (0 < is_selinux_enabled ());
+  selinux_enabled = (0 < is_selinux_enabled () && geteuid () == 0);
 
   initialize_main (&argc, &argv);
   set_program_name (argv[0]);
@@ -876,7 +879,7 @@
           if (! selinux_enabled)
             {
               error (0, 0, _("WARNING: ignoring --preserve-context; "
-                             "this kernel is not SELinux-enabled"));
+                             "it requires an SELinux-enabled kernel and root access"));
               break;
             }
           x.preserve_security_context = true;
@@ -902,7 +905,7 @@
             {
               error (0, 0,
                      _("warning: ignoring --context; "
-                       "it requires an SELinux-enabled kernel"));
+                       "it requires an SELinux-enabled kernel and root access"));
             }
           break;
         case_GETOPT_HELP_CHAR;