Relabel image when selinux policy is installed

If an selinux policy is installed in the image, let's relabel it
automatically.

diff --git a/mkosi/__init__.py b/mkosi/__init__.py
index dc90e9fd7d9b7d47a61852818891f14958318362..3ee494a008ea870ff5701ce07f0ef47674f8b0ee 100644 (file)
--- a/mkosi/__init__.py
+++ b/mkosi/__init__.py
@@ -3086,6 +3086,25 @@ def run_preset_all(state: MkosiState) -> None:
         run(["systemctl", "--root", state.root, "preset-all"])
 
 
+def run_selinux_relabel(state: MkosiState) -> None:
+    selinux = state.root / "etc/selinux/config"
+    if not selinux.exists():
+        return
+
+    policy = run(["sh", "-c", f". {selinux} && echo $SELINUXTYPE"], text=True, stdout=subprocess.PIPE).stdout.strip()
+    if not policy:
+        return
+
+    fc = Path('/etc/selinux') / policy / 'contexts/files/file_contexts'
+
+    # We want to be able to relabel the underlying APIVFS mountpoints, so mount root non-recursive to a
+    # temporary location so that the underlying mountpoints become visible.
+    cmd = f"mkdir /tmp/relabel && mount --bind / /tmp/relabel && exec setfiles -m -r /tmp/relabel -F {fc} /tmp/relabel || exit $?"
+
+    with complete_step(f"Relabeling files using {policy} policy"):
+        run_workspace_command(state, ["sh", "-c", cmd])
+
+
 def reuse_cache_tree(state: MkosiState) -> bool:
     if not state.config.incremental:
         return False
@@ -3230,6 +3249,7 @@ def build_image(state: MkosiState, *, manifest: Optional[Manifest] = None) -> No
         reset_machine_id(state)
         reset_random_seed(state.root)
         run_finalize_script(state)
+        run_selinux_relabel(state)
 
     roothash = invoke_repart(state, skip=("esp", "xbootldr"))