Only set --security-label if the filesystem was relabeled

Otherwise we run into virtiofsd errors when operating on non relabeled
directories with --security-label enabled.

diff --git a/mkosi/__init__.py b/mkosi/__init__.py
index 924dc9f4813ec1b150f12fc6d39dc83705d286c2..ab42a1876317cf3ec3159adc19255485ec301696 100644 (file)
--- a/mkosi/__init__.py
+++ b/mkosi/__init__.py
@@ -43,6 +43,7 @@ from mkosi.config import (
     format_tree,
     parse_config,
     summary,
+    want_selinux_relabel,
     yes_no,
 )
 from mkosi.context import Context
@@ -2354,25 +2355,7 @@ def run_firstboot(context: Context) -> None:
 
 
 def run_selinux_relabel(context: Context) -> None:
-    if context.config.selinux_relabel == ConfigFeature.disabled:
-        return
-
-    selinux = context.root / "etc/selinux/config"
-    if not selinux.exists():
-        if context.config.selinux_relabel == ConfigFeature.enabled:
-            die("SELinux relabel is requested but could not find selinux config at /etc/selinux/config")
-        return
-
-    policy = run(["sh", "-c", f". {selinux} && echo $SELINUXTYPE"],
-                 sandbox=context.sandbox(options=["--ro-bind", selinux, selinux]),
-                 stdout=subprocess.PIPE).stdout.strip()
-    if not policy:
-        if context.config.selinux_relabel == ConfigFeature.enabled:
-            die("SELinux relabel is requested but no selinux policy is configured in /etc/selinux/config")
-        return
-
-    if not find_binary("setfiles", root=context.config.tools()):
-        logging.info("setfiles is not installed, not relabeling files")
+    if not (policy := want_selinux_relabel(context.config, context.root)):
         return
 
     fc = context.root / "etc/selinux" / policy / "contexts/files/file_contexts"

diff --git a/mkosi/config.py b/mkosi/config.py
index 0b57548e8eb6e8088baee8d19f19616b2aa1d561..8209a58ef799c3671761a1c583cd51200c3f41a2 100644 (file)
--- a/mkosi/config.py
+++ b/mkosi/config.py
@@ -3561,3 +3561,29 @@ def json_type_transformer(refcls: Union[type[Args], type[Config]]) -> Callable[[
         return val
 
     return json_transformer
+
+
+def want_selinux_relabel(config: Config, root: Path, fatal: bool = True) -> Optional[str]:
+    if config.selinux_relabel == ConfigFeature.disabled:
+        return None
+
+    selinux = root / "etc/selinux/config"
+    if not selinux.exists():
+        if fatal and config.selinux_relabel == ConfigFeature.enabled:
+            die("SELinux relabel is requested but could not find selinux config at /etc/selinux/config")
+        return None
+
+    policy = run(["sh", "-c", f". {selinux} && echo $SELINUXTYPE"],
+                 sandbox=config.sandbox(options=["--ro-bind", selinux, selinux]),
+                 stdout=subprocess.PIPE).stdout.strip()
+    if not policy:
+        if fatal and config.selinux_relabel == ConfigFeature.enabled:
+            die("SELinux relabel is requested but no selinux policy is configured in /etc/selinux/config")
+        return None
+
+    if not find_binary("setfiles", root=config.tools()):
+        if fatal:
+            logging.info("setfiles is not installed, not relabeling files")
+        return None
+
+    return policy

diff --git a/mkosi/qemu.py b/mkosi/qemu.py
index 267df7f22fe3b282f9139251664354d419a29eb3..fa3d518f12d064758411f116b1a27edc5b49d743 100644 (file)
--- a/mkosi/qemu.py
+++ b/mkosi/qemu.py
@@ -30,6 +30,7 @@ from mkosi.config import (
     QemuFirmware,
     QemuVsockCID,
     format_bytes,
+    want_selinux_relabel,
 )
 from mkosi.log import die
 from mkosi.partition import finalize_root, find_partitions
@@ -326,7 +327,7 @@ def start_virtiofsd(config: Config, directory: Path, *, uidmap: bool) -> Iterato
         "--sandbox=chroot",
     ]
 
-    if not uidmap:
+    if not uidmap and want_selinux_relabel(config, directory, fatal=False):
         cmdline += ["--security-label"]
 
     # We create the socket ourselves and pass the fd to virtiofsd to avoid race conditions where we start qemu