From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Sun, 30 Mar 2025 15:10:00 +0000 (+0200)
Subject: Disable selinux relabeling by default for directory images
X-Git-Tag: v26~285^2~7
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2ff28922a599e4ba0e6d4a6c737059887110686c;p=thirdparty%2Fmkosi.git

Disable selinux relabeling by default for directory images

For directory images it's more likely to not want these selinux
relabeled, so let's default to that. Also drop the explicitly selinux
relabeling disablement from mkosi-tools.
---

diff --git a/mkosi/config.py b/mkosi/config.py
index cb92faff1..66016b8df 100644
--- a/mkosi/config.py
+++ b/mkosi/config.py
@@ -5646,11 +5646,16 @@ def json_type_transformer(refcls: Union[type[Args], type[Config]]) -> Callable[[
 
 
 def want_selinux_relabel(
-    config: Config, root: Path, fatal: bool = True
+    config: Config,
+    root: Path,
+    fatal: bool = True,
 ) -> Optional[tuple[Path, str, Path, Path]]:
     if config.selinux_relabel == ConfigFeature.disabled:
         return None
 
+    if config.selinux_relabel == ConfigFeature.auto and config.output_format == OutputFormat.directory:
+        return None
+
     selinux = root / "etc/selinux/config"
     if not selinux.exists():
         if fatal and config.selinux_relabel == ConfigFeature.enabled:
diff --git a/mkosi/resources/man/mkosi.1.md b/mkosi/resources/man/mkosi.1.md
index d22ee789b..9c113e6bd 100644
--- a/mkosi/resources/man/mkosi.1.md
+++ b/mkosi/resources/man/mkosi.1.md
@@ -1165,9 +1165,10 @@ boolean argument: either `1`, `yes`, or `true` to enable, or `0`, `no`,
     disabled, files will not relabeled. If enabled, an SELinux policy has
     to be installed in the image and **setfiles** has to be available to
     relabel files. If any errors occur during **setfiles**, the build will
-    fail. If set to `auto`, files will be relabeled if an SELinux policy
-    is installed in the image and if **setfiles** is available. Any errors
-    occurred during **setfiles** will be ignored.
+    fail. If set to `auto`, files will be relabeled if mkosi is not
+    building a directory image, an SELinux policy is installed in the
+    image and if **setfiles** is available. Any errors occurred during
+    **setfiles** will be ignored.
 
     Note that when running unprivileged, **setfiles** will fail to set any
     labels that are not in the host's SELinux policy. To ensure **setfiles**
diff --git a/mkosi/resources/mkosi-tools/mkosi.conf b/mkosi/resources/mkosi-tools/mkosi.conf
index a7359327d..6cfd27eb8 100644
--- a/mkosi/resources/mkosi-tools/mkosi.conf
+++ b/mkosi/resources/mkosi-tools/mkosi.conf
@@ -6,7 +6,6 @@ Output=mkosi.tools
 
 [Content]
 Bootable=no
-SELinuxRelabel=no
 Packages=
         ca-certificates
         coreutils