selinux labels for objects dir

[Johan-Liebert1]

All the flies in /sysroot/composefs/objects have the label system_u:object_r:root_t:s0

This causes AVC denials with selinux like the following

audit: type=1400 audit(1758694966.621:123): avc:  denied  { read } for  pid=1006 comm="restorecon" path="/e7/b21bc6ba7080f331992e550543a28cd7d03382ef065a46f2326150e497965f" dev="vdb3" ino=681271 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=file permissive=1

audit: type=1400 audit(1758694966.640:124): avc:  denied  { read } for  pid=941 comm="agetty" path="/e2/2ed11c42842916ff956a27a586a1ac14fe83d5c3f4bac62e44632663a4b313" dev="vdb 3" ino=684166 scontext=system_u:system_r:getty_t:s0-s0:c0.c1023 tcontext=system_u:object_r:root_t:s0 tclass=file permissive=1

audit: type=1400 audit(1758694964.795:3): avc:  denied  { read } for  pid=640 comm="kdump-dep-gener" path="/33/73be7af612e45284fda8531c4883219c32e3416b5cf7cdbbfdd40605df436f" dev="vdb3" ino=678768 scontext=system_u:system_r:kdump_dep_generator_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=file permissive=1

audit: type=1400 audit(1758694964.828:4): avc:  denied  { read } for  pid=669 comm="sed" path="/b1/32fabb5dbcc5830cfaeeba919a52d132f5851880054ec50559d43f9cfd10d8" dev="vdb3" in o=683644 scontext=system_u:system_r:kdump_dep_generator_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=file permissive=1

The repo object /e7/b21bc6ba7080f331992e550543a28cd7d03382ef065a46f2326150e497965f points to /usr/lib64/libcap-ng.so.0.0.0

I haven't included all the AVC denials as there are quite a few.

Relabeling files in objects directory to their counterparts in the EROFS should fix this issue

[Johan-Liebert1]

Should be reproducable using the following Containerfile

FROM quay.io/fedora/fedora-bootc:42

COPY bootc /usr/bin
COPY cfsctl /usr/bin
COPY extra /

RUN set -x; \
    kver=$(cd /usr/lib/modules && echo *); \
    dracut -vf /usr/lib/modules/$kver/initramfs.img $kver;

RUN passwd -d root

[allisonkarlitskaya]

We can't relabel the files to their counterparts in the erofs because more than one logical file might have the same fs-verity content digest... this is why ostree originally included metadata in the checksum calculation...

We need to figure out another way to fix this: something like a label that is universally allowed for reading, or a way to say that overlayfs gets special permissions...

[Johan-Liebert1]

We can't relabel the files to their counterparts in the erofs because more than one logical file might have the same fs-verity content digest

Ah, right, we can't do that

[cgwalters]

bootc already does this https://github.com/bootc-dev/bootc/blob/69395c3076620a5c03eef82395ddaac08504f4e4/crates/lib/src/install.rs#L912 - we just need to run the ~same code in the composefs install path I think.