install: Ensure we label / (and /boot)

cgwalters · cgwalters · commit d515c319e742 · 2024-01-29T17:48:19.000-05:00
This came out of a discussion with bootc-image-builder, which has this issue right now: osbuild/bootc-image-builder#149 As I noted in that issue, I think it's basically been working here because we always write to a real fresh filesystem, but let's be very explicit. There's a notable tricky bootstrapping we're solving here around "what's the label of `/`" because we know we are running the target OS as a container image already. Signed-off-by: Colin Walters <walters@verbum.org>
diff --git a/lib/src/install.rs b/lib/src/install.rs
@@ -445,6 +445,10 @@ async fn initialize_ostree_root_from_self(
     let rootfs = root_setup.rootfs.as_path();
     let cancellable = gio::Cancellable::NONE;
 
+    // Ensure that the physical root is labeled.
+    // Another implementation: https://github.com/coreos/coreos-assembler/blob/3cd3307904593b3a131b81567b13a4d0b6fe7c90/src/create_disk.sh#L295
+    state.lsm_label(rootfs, "/".into(), false)?;
+
     // TODO: make configurable?
     let stateroot = STATEROOT_DEFAULT;
     Task::new_and_run(
@@ -453,6 +457,12 @@ async fn initialize_ostree_root_from_self(
         ["admin", "init-fs", "--modern", rootfs.as_str()],
     )?;
 
+    // And also label /boot AKA xbootldr, if it exists
+    let bootdir = rootfs.join("boot");
+    if bootdir.try_exists()? {
+        state.lsm_label(&bootdir, "/boot".into(), false)?;
+    }
+
     // Default to avoiding grub2-mkconfig etc., but we need to use zipl on s390x.
     // TODO: Lower this logic into ostree proper.
     let bootloader = if cfg!(target_arch = "s390x") {
diff --git a/tests/kolainst/install b/tests/kolainst/install
@@ -40,6 +40,9 @@ EOF
     grep -Ee '^linux /boot/ostree' /var/mnt/loader/entries/*.conf
     umount /var/mnt
     echo "ok install"
+    mount /dev/vda4 /var/mnt
+    ls -dZ /var/mnt |grep ':root_t:'
+    umount /var/mnt
 
     # Now test install to-filesystem
     # Wipe the device
