Comment 24 for bug 90085

On Ubuntu 18.04 with noexec on /tmp running 'apt-get install -y selinux' and then doing a required reboot will give you a non-booting host.

As an aside, the same security guidance (CIS Benchmarks for one) about noexec on /tmp should be applied to /var/tmp, so changing APT::ExtractTemplates::TempDir to "/var/tmp"; isn't really an option here in the long run.