Rework selinux labelling

Let's run setfiles on the host instead of inside the image. To make
this work, we have to explicitly tell it to use the binary policy
from the image to check contexts against.

diff --git a/mkosi/__init__.py b/mkosi/__init__.py
index 570b150c5cb6f9f51816fb4c1d7e8a773407fa4b..90ab69446867ce1c61d3f69b878a9b2a9474ade1 100644 (file)
--- a/mkosi/__init__.py
+++ b/mkosi/__init__.py
@@ -1579,19 +1579,22 @@ def run_selinux_relabel(state: MkosiState) -> None:
     if not policy:
         return
 
-    fc = Path('/etc/selinux') / policy / 'contexts/files/file_contexts'
+    if not shutil.which("setfiles"):
+        logging.info("setfiles is not installed, not relabeling files")
+        return
+
+    fc = state.root / "etc/selinux" / policy / "contexts/files/file_contexts"
+    binpolicydir = state.root / "etc/selinux" / policy / "policy"
 
-    # We want to be able to relabel the underlying APIVFS mountpoints, so mount root non-recursive to a
-    # temporary location so that the underlying mountpoints become visible.
-    cmd = f"mkdir /tmp/relabel && mount --bind / /tmp/relabel && exec setfiles -m -r /tmp/relabel -F {fc} /tmp/relabel || exit $?"
+    try:
+        # The policy file is named policy.XX where XX is the policy version that indicates what features are
+        # available. It's not expected for there to be more than one file in this directory.
+        binpolicy = next(binpolicydir.iterdir())
+    except StopIteration:
+        die(f"SELinux binary policy not found in {binpolicydir}")
 
     with complete_step(f"Relabeling files using {policy} policy"):
-        bwrap(
-            cmd=["chroot", "sh", "-c", cmd],
-            apivfs=state.root,
-            scripts=dict(chroot=chroot_cmd(state.root)),
-            env=state.config.environment,
-        )
+        run(["setfiles", "-mFr", state.root, "-c", binpolicy, fc, state.root], env=state.config.environment)
 
 
 def need_build_packages(config: MkosiConfig) -> bool: