From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Wed, 10 Jul 2024 14:33:44 +0000 (+0200)
Subject: Downgrade SELinuxRelabel=yes to SELinuxRelabel=auto for the initrd
X-Git-Tag: v24~42
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4681dd733a925cd048d0301af26221bce0c95eed;p=thirdparty%2Fmkosi.git

Downgrade SELinuxRelabel=yes to SELinuxRelabel=auto for the initrd

Otherwise we fail if there's no policy installed in the initramfs.
Putting a policy in the initramfs isn't really a thing so let's not
fail if there is one available but still relabel if there is one
installed.
---

diff --git a/mkosi/__init__.py b/mkosi/__init__.py
index ec09a9634..82a19f528 100644
--- a/mkosi/__init__.py
+++ b/mkosi/__init__.py
@@ -1754,6 +1754,8 @@ def finalize_default_initrd(
     else:
         rootpwopt = None
 
+    relabel = ConfigFeature.auto if config.selinux_relabel == ConfigFeature.enabled else config.selinux_relabel
+
     # Default values are assigned via the parser so we go via the argument parser to construct
     # the config for the initrd.
     cmdline = [
@@ -1805,7 +1807,7 @@ def finalize_default_initrd(
         *(["--proxy-peer-certificate", str(p)] if (p := config.proxy_peer_certificate) else []),
         *(["--proxy-client-certificate", str(p)] if (p := config.proxy_client_certificate) else []),
         *(["--proxy-client-key", str(p)] if (p := config.proxy_client_key) else []),
-        "--selinux-relabel", str(config.selinux_relabel),
+        "--selinux-relabel", str(relabel),
         *(["-f"] * args.force),
     ]