Merge pull request #290 from cgwalters/label-root

install: Ensure we label `/` (and `/boot`)

Author: cgwalters

lib/src/install.rs

@@ -445,6 +445,10 @@ async fn initialize_ostree_root_from_self(
     let rootfs = root_setup.rootfs.as_path();
     let cancellable = gio::Cancellable::NONE;
 
+    // Ensure that the physical root is labeled.
+    // Another implementation: https://github.com/coreos/coreos-assembler/blob/3cd3307904593b3a131b81567b13a4d0b6fe7c90/src/create_disk.sh#L295
+    state.lsm_label(rootfs, "/".into(), false)?;
+
     // TODO: make configurable?
     let stateroot = STATEROOT_DEFAULT;
     Task::new_and_run(
@@ -453,6 +457,12 @@ async fn initialize_ostree_root_from_self(
         ["admin", "init-fs", "--modern", rootfs.as_str()],
     )?;
 
+    // And also label /boot AKA xbootldr, if it exists
+    let bootdir = rootfs.join("boot");
+    if bootdir.try_exists()? {
+        state.lsm_label(&bootdir, "/boot".into(), false)?;
+    }
+
     // Default to avoiding grub2-mkconfig etc., but we need to use zipl on s390x.
     // TODO: Lower this logic into ostree proper.
     let bootloader = if cfg!(target_arch = "s390x") {

tests/kolainst/install

@@ -40,6 +40,9 @@ EOF
     grep -Ee '^linux /boot/ostree' /var/mnt/loader/entries/*.conf
     umount /var/mnt
     echo "ok install"
+    mount /dev/vda4 /var/mnt
+    ls -dZ /var/mnt |grep ':root_t:'
+    umount /var/mnt
 
     # Now test install to-filesystem
     # Wipe the device