libselinux checks the state of SELinux only in the library constructor and then
uses a cached value. It can be a problem for processes which do chroot() as
there's usually no SELinux interface (/sys/fs/selinux) in the chroot. For
chpasswd/chgpasswd is enough to do SELinux checks before processes are
chroot()ed.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1747215