Ensure layers are canonically labeled #1647
Description
Originally posted by @cgwalters in #2034
I think the source of all the extra files is actually duplicate files but with different SELinux contexts. One example:
That's an unrelated bug in bootc I think
Basically right now with the ostree backend when we're fetching files we don't give them a canonical label, and so the stored objects may be duplicated by ostree.
I think with the default ostree backend we can mostly paper over this by bootstrapping using the booted policy (if one exists) - or in install flows, we can probably just take the hit of a relabeling pass.
This will also get fixed with the #20 flow (supposing the system supports reflinks) as there the backing files will always be labeled as if they're part of a container store and we'll reflink-and-relabel.
With the composefs backend this is all way way nicer as the labels only live in the EROFS metadata.
See also containers/composefs-rs#183