osbuild: set SELinux labels on qemu-secex image

nikita-dubrovskii · dustymabe · commit 088bc14db0c6 · 2024-11-15T18:09:17.000-05:00
diff --git a/src/osbuild-manifests/platform.qemu-secex.ipp.yaml b/src/osbuild-manifests/platform.qemu-secex.ipp.yaml
@@ -109,6 +109,82 @@ pipelines:
           uuid: random
           label:
             mpp-format-string: '{sd_fs_label}'
+      # We've created the filesystems. Now let's create the mountpoints (directories)
+      # on the filesystems and label them with appropriate SELinux labels. This also
+      # covers things like filesystem autogenerated files like 'lost+found'. The labeling
+      # will happen once with just the root filesystem mounted and once with the boot
+      # filesystem mounted too (to make sure we get all potentially hidden mountpoints).
+      # https://github.com/coreos/fedora-coreos-tracker/issues/1771
+      - type: org.osbuild.mkdir
+        options:
+          paths:
+            - path: mount://root/boot
+              mode: 493
+        devices:
+          disk:
+            type: org.osbuild.loopback
+            options:
+              filename: disk.img
+              partscan: true
+        mounts:
+          - name: root
+            type: org.osbuild.xfs
+            source: disk
+            partition:
+              mpp-format-int: '{image_secex.layout[''root''].partnum}'
+            target: /root-mount-point
+      - type: org.osbuild.selinux
+        options:
+          file_contexts: input://tree/etc/selinux/targeted/contexts/files/file_contexts
+          target: mount://root/
+        inputs:
+          tree:
+            type: org.osbuild.tree
+            origin: org.osbuild.pipeline
+            references:
+              - name:build
+        devices:
+          disk:
+            type: org.osbuild.loopback
+            options:
+              filename: disk.img
+              partscan: true
+        mounts:
+          - name: root
+            type: org.osbuild.xfs
+            source: disk
+            partition:
+              mpp-format-int: '{image_secex.layout[''root''].partnum}'
+            target: /
+      - type: org.osbuild.selinux
+        options:
+          file_contexts: input://tree/etc/selinux/targeted/contexts/files/file_contexts
+          target: mount://root/boot/
+        inputs:
+          tree:
+            type: org.osbuild.tree
+            origin: org.osbuild.pipeline
+            references:
+              - name:build
+        devices:
+          disk:
+            type: org.osbuild.loopback
+            options:
+              filename: disk.img
+              partscan: true
+        mounts:
+          - name: root
+            type: org.osbuild.xfs
+            source: disk
+            partition:
+              mpp-format-int: '{image_secex.layout[''root''].partnum}'
+            target: /
+          - name: boot
+            type: org.osbuild.ext4
+            source: disk
+            partition:
+              mpp-format-int: '{image_secex.layout[''boot''].partnum}'
+            target: /boot
       - type: org.osbuild.copy
         inputs:
           tree:
