mkosi: Disable selinux labelling and install policy in initramfs

It is necessary to install the selinux policy in the initramfs
so that userland is entered with the correct label.

SELinuxRelabel defaults to auto, which will skip if the relabelling
command is not installed and will treat failure to relabel as non-fatal.

We can't force it on because root privileges are required if the labels
don't exist on the host system and we would like to be able to
cross-build from other distributions.

Since we are already committed to relabelling on first boot
there is no value in even trying to label.

diff --git a/mkosi.images/system/mkosi.conf.d/10-centos-fedora/mkosi.conf.d/10-selinux.conf b/mkosi.images/system/mkosi.conf.d/10-centos-fedora/mkosi.conf.d/10-selinux.conf
index 3dc1143fc844e9e94e7a781bb02ab2bf803ec962..9fe5509695f6b399a97f6a03524f943a14412f1f 100644 (file)
--- a/mkosi.images/system/mkosi.conf.d/10-centos-fedora/mkosi.conf.d/10-selinux.conf
+++ b/mkosi.images/system/mkosi.conf.d/10-centos-fedora/mkosi.conf.d/10-selinux.conf
@@ -10,3 +10,11 @@ Packages=
         selinux-policy
         selinux-policy-targeted
         setools-console
+
+# We relabel on first boot instead of at build time because it is only possible to label without root
+# if the labels exist in the host system, and we want to be able to cross-build to other distributions.
+SELinuxRelabel=no
+
+InitrdPackages=
+        selinux-policy
+        selinux-policy-targeted