diff --git a/pkg/cluster/manager/check.go b/pkg/cluster/manager/check.go
index 0559aa8f90..99addd799e 100644
--- a/pkg/cluster/manager/check.go
+++ b/pkg/cluster/manager/check.go
@@ -686,7 +686,10 @@ func fixFailedChecks(host string, res *operator.CheckResult, t *task.Builder, sy
 	case operator.CheckNameTHP:
 		t.Shell(host,
 			fmt.Sprintf(
-				`if [ -d %[1]s ]; then echo never > %[1]s/enabled; fi && %s`,
+				// grubby only exists on RHEL-family distros; skip the persistent
+				// kernel argument when it's not available (e.g. Debian/Ubuntu)
+				// instead of failing the whole apply.
+				`if [ -d %[1]s ]; then echo never > %[1]s/enabled; fi && if command -v grubby >/dev/null 2>&1; then %s; fi`,
 				"/sys/kernel/mm/transparent_hugepage",
 				`grubby --update-kernel=ALL --args="transparent_hugepage=never"`,
 			),
diff --git a/pkg/cluster/operation/check.go b/pkg/cluster/operation/check.go
index f0e69e111e..5928d0b410 100644
--- a/pkg/cluster/operation/check.go
+++ b/pkg/cluster/operation/check.go
@@ -608,9 +608,15 @@ func CheckSELinuxStatus(ctx context.Context, e ctxt.Executor, sudo bool) *CheckR
 		Command: "getenforce",
 		Sudo:    sudo,
 	})
-	stdout, stderr, err := m.Execute(ctx, e)
+	stdout, _, err := m.Execute(ctx, e)
 	if err != nil {
-		result.Err = fmt.Errorf("%w %s", err, stderr)
+		// getenforce is unavailable (e.g. SELinux userspace tools are not
+		// installed, as on most Debian/Ubuntu hosts), which means SELinux is
+		// not enforcing on this host. Treat it as disabled rather than a
+		// failure, so we don't trigger a fix that edits a non-existent
+		// /etc/selinux/config. The configuration is still checked separately
+		// by CheckSELinuxConf.
+		result.Msg = "getenforce not available, assuming SELinux is disabled"
 		return result
 	}
 	out := strings.Trim(string(stdout), "\n")