use file_contexts to label /boot/*

Author: nikita-dubrovskii

src/osbuild-manifests/coreos.osbuild.x86_64.mpp.yaml

@@ -3,6 +3,7 @@ mpp-vars:
   filename: $filename
   ostree_repo: $ostree_repo
   ostree_ref: $ostree_ref
+  ostree_commit: $ostree_commit
   ociarchive: $ociarchive
   osname: $osname
   container_imgref: $container_imgref
@@ -40,6 +41,9 @@ mpp-vars:
   # the host buildroot is the default if nothing is specified.
   # We're still defining it here in an attempt to be explicit.
   qemu_stage_buildroot: ""
+  # root path
+  deploy_root:
+    mpp-format-string: "ostree/deploy/{osname}/deploy/{ostree_commit}.0"
 mpp-define-images:
   - id: image
     sector_size:
@@ -349,8 +353,6 @@ pipelines:
         options:
           labels:
             mount://root/boot: system_u:object_r:boot_t:s0
-            mount://boot/efi: system_u:object_r:boot_t:s0
-            mount://boot/lost+found: system_u:object_r:lost_found_t:s0
         devices:
           disk:
             type: org.osbuild.loopback
@@ -363,13 +365,7 @@ pipelines:
             source: disk
             partition:
               mpp-format-int: '{image.layout[''root''].partnum}'
-            target: /sysroot
-          - name: boot
-            type: org.osbuild.ext4
-            source: disk
-            partition:
-              mpp-format-int: '{image.layout[''boot''].partnum}'
-            target: /boot
+            target: /
       - type: org.osbuild.copy
         inputs:
           tree:
@@ -406,6 +402,30 @@ pipelines:
             partition:
               mpp-format-int: '{image.layout[''EFI-SYSTEM''].partnum}'
             target: /boot/efi
+      - type: org.osbuild.selinux
+        inputs:
+          tree:
+            type: org.osbuild.tree
+            origin: org.osbuild.pipeline
+            references:
+              - name:tree
+        options:
+          file_contexts:
+            mpp-format-string: "input://tree/{deploy_root}/etc/selinux/targeted/contexts/files/file_contexts"
+          target: "mount://boot/"
+        devices:
+          disk:
+            type: org.osbuild.loopback
+            options:
+              filename: disk.img
+              partscan: true
+        mounts:
+          - name: boot
+            type: org.osbuild.ext4
+            source: disk
+            partition:
+              mpp-format-int: '{image.layout[''boot''].partnum}'
+            target: /
       - type: org.osbuild.bootupd
         options:
           bios:

src/runvm-osbuild

@@ -69,6 +69,7 @@ if [ -z "${deploy_via_container}" ]; then
     ostree_repo="file://$(getconfig "ostree-repo")"
 fi
 
+ostree_commit=$(getconfig "ostree-commit")
 # Since it doesn't exist create loop-control
 [ ! -e /dev/loop-control ] && mknod /dev/loop-control c 10 237
 
@@ -92,6 +93,7 @@ osbuild-mpp                                             \
     -D arch=\""$(arch)"\"                               \
     -D ostree_ref=\""${ostree_ref}"\"                   \
     -D ostree_repo=\""${ostree_repo}"\"                 \
+    -D ostree_commit=\""${ostree_commit}"\"             \
     -D filename=\""${filename}"\"                       \
     -D ociarchive=\""${ostree_container}"\"             \
     -D osname=\""${osname}"\"                           \