osbuild: use SELinux policy when setting labels on mountpoints

This allows us to use the policy rather than hardcoding labels to set
on the mountpoints. The unfortunate thing here is that in order to
pick up a policy easily we have to use the `build` pipeline where
the files are written out plainly and we don't have to find where
the OSTree deployment is. I say unfortunate because right now for
FCOS the `build` pipeline was getting skipped because we weren't using
it for anything else, but now we'll be forced to build it.

That's OK I think, because we really want to start using a non-host
(i.e. non-COSA) buildroot for FCOS too if we can ever convince the
team/community to get python into it.

This commit also adds a comment to explain the "why" for the mkdir
and two selinux stages.

Author: dustymabe

src/osbuild-manifests/coreos.osbuild.aarch64.mpp.yaml

@@ -110,7 +110,9 @@ pipelines:
         else:
           type: org.osbuild.noop
   # Construct a buildroot here from the input container reference (either
-  # ociarchive or registry/tag). Note that it won't actually be built
+  # ociarchive or registry/tag). Note that this is only used as a buildroot
+  # on RHCOS (FCOS doesn't ship python), but it is used everywhere as
+  # file_context input to the org.osbuild.selinux stages.
   # unless used somewhere later in the manifest.
   - name: build
     stages:
@@ -143,8 +145,14 @@ pipelines:
       # https://github.com/coreos/fedora-coreos-tracker/issues/1772
       - type: org.osbuild.selinux
         options:
-          labels:
-            /: system_u:object_r:root_t:s0
+          file_contexts: input://tree/etc/selinux/targeted/contexts/files/file_contexts
+          target: tree:///
+        inputs:
+          tree:
+            type: org.osbuild.tree
+            origin: org.osbuild.pipeline
+            references:
+              - name:build
       - type: org.osbuild.ostree.init-fs
       - type: org.osbuild.ostree.os-init
         options:
@@ -317,6 +325,12 @@ pipelines:
             mpp-format-string: '{root_fs_uuid}'
           label:
             mpp-format-string: '{root_fs_label}'
+      # We've created the filesystems. Now let's create the mountpoints (directories)
+      # on the filesystems and label them with appropriate SELinux labels. This also
+      # covers things like filesystem autogenerated files like 'lost+found'. The labeling
+      # will happen once with just the root filesystem mounted and once with the boot
+      # filesystem mounted too (to make sure we get all potentially hidden mountpoints).
+      # https://github.com/coreos/fedora-coreos-tracker/issues/1771
       - type: org.osbuild.mkdir
         options:
           paths:
@@ -345,10 +359,37 @@ pipelines:
             target: /boot-mount-point
       - type: org.osbuild.selinux
         options:
-          labels:
-            mount://root/boot: system_u:object_r:boot_t:s0
-            mount://boot/efi: system_u:object_r:boot_t:s0
-            mount://boot/lost+found: system_u:object_r:lost_found_t:s0
+          file_contexts: input://tree/etc/selinux/targeted/contexts/files/file_contexts
+          target: mount://root/
+        inputs:
+          tree:
+            type: org.osbuild.tree
+            origin: org.osbuild.pipeline
+            references:
+              - name:build
+        devices:
+          disk:
+            type: org.osbuild.loopback
+            options:
+              filename: disk.img
+              partscan: true
+        mounts:
+          - name: root
+            type: org.osbuild.xfs
+            source: disk
+            partition:
+              mpp-format-int: '{image.layout[''root''].partnum}'
+            target: /
+      - type: org.osbuild.selinux
+        options:
+          file_contexts: input://tree/etc/selinux/targeted/contexts/files/file_contexts
+          target: mount://root/boot/
+        inputs:
+          tree:
+            type: org.osbuild.tree
+            origin: org.osbuild.pipeline
+            references:
+              - name:build
         devices:
           disk:
             type: org.osbuild.loopback
@@ -361,7 +402,7 @@ pipelines:
             source: disk
             partition:
               mpp-format-int: '{image.layout[''root''].partnum}'
-            target: /sysroot
+            target: /
           - name: boot
             type: org.osbuild.ext4
             source: disk
@@ -534,6 +575,12 @@ pipelines:
             mpp-format-string: '{root_fs_uuid}'
           label:
             mpp-format-string: '{root_fs_label}'
+      # We've created the filesystems. Now let's create the mountpoints (directories)
+      # on the filesystems and label them with appropriate SELinux labels. This also
+      # covers things like filesystem autogenerated files like 'lost+found'. The labeling
+      # will happen once with just the root filesystem mounted and once with the boot
+      # filesystem mounted too (to make sure we get all potentially hidden mountpoints).
+      # https://github.com/coreos/fedora-coreos-tracker/issues/1771
       - type: org.osbuild.mkdir
         options:
           paths:
@@ -564,10 +611,14 @@ pipelines:
             target: /boot-mount-point
       - type: org.osbuild.selinux
         options:
-          labels:
-            mount://root/boot: system_u:object_r:boot_t:s0
-            mount://boot/efi: system_u:object_r:boot_t:s0
-            mount://boot/lost+found: system_u:object_r:lost_found_t:s0
+          file_contexts: input://tree/etc/selinux/targeted/contexts/files/file_contexts
+          target: mount://root/
+        inputs:
+          tree:
+            type: org.osbuild.tree
+            origin: org.osbuild.pipeline
+            references:
+              - name:build
         devices:
           disk:
             type: org.osbuild.loopback
@@ -582,7 +633,32 @@ pipelines:
             source: disk
             partition:
               mpp-format-int: '{image4k.layout[''root''].partnum}'
-            target: /sysroot
+            target: /
+      - type: org.osbuild.selinux
+        options:
+          file_contexts: input://tree/etc/selinux/targeted/contexts/files/file_contexts
+          target: mount://root/boot/
+        inputs:
+          tree:
+            type: org.osbuild.tree
+            origin: org.osbuild.pipeline
+            references:
+              - name:build
+        devices:
+          disk:
+            type: org.osbuild.loopback
+            options:
+              filename: disk.img
+              partscan: true
+              sector-size:
+                  mpp-format-int: "{four_k_sector_size}"
+        mounts:
+          - name: root
+            type: org.osbuild.xfs
+            source: disk
+            partition:
+              mpp-format-int: '{image4k.layout[''root''].partnum}'
+            target: /
           - name: boot
             type: org.osbuild.ext4
             source: disk

src/osbuild-manifests/coreos.osbuild.ppc64le.mpp.yaml

@@ -112,7 +112,9 @@ pipelines:
         else:
           type: org.osbuild.noop
   # Construct a buildroot here from the input container reference (either
-  # ociarchive or registry/tag). Note that it won't actually be built
+  # ociarchive or registry/tag). Note that this is only used as a buildroot
+  # on RHCOS (FCOS doesn't ship python), but it is used everywhere as
+  # file_context input to the org.osbuild.selinux stages.
   # unless used somewhere later in the manifest.
   - name: build
     stages:
@@ -145,8 +147,14 @@ pipelines:
       # https://github.com/coreos/fedora-coreos-tracker/issues/1772
       - type: org.osbuild.selinux
         options:
-          labels:
-            /: system_u:object_r:root_t:s0
+          file_contexts: input://tree/etc/selinux/targeted/contexts/files/file_contexts
+          target: tree:///
+        inputs:
+          tree:
+            type: org.osbuild.tree
+            origin: org.osbuild.pipeline
+            references:
+              - name:build
       - type: org.osbuild.ostree.init-fs
       - type: org.osbuild.ostree.os-init
         options:
@@ -310,6 +318,12 @@ pipelines:
             mpp-format-string: '{root_fs_uuid}'
           label:
             mpp-format-string: '{root_fs_label}'
+      # We've created the filesystems. Now let's create the mountpoints (directories)
+      # on the filesystems and label them with appropriate SELinux labels. This also
+      # covers things like filesystem autogenerated files like 'lost+found'. The labeling
+      # will happen once with just the root filesystem mounted and once with the boot
+      # filesystem mounted too (to make sure we get all potentially hidden mountpoints).
+      # https://github.com/coreos/fedora-coreos-tracker/issues/1771
       - type: org.osbuild.mkdir
         options:
           paths:
@@ -330,9 +344,37 @@ pipelines:
             target: /root-mount-point
       - type: org.osbuild.selinux
         options:
-          labels:
-            mount://root/boot: system_u:object_r:boot_t:s0
-            mount://boot/lost+found: system_u:object_r:lost_found_t:s0
+          file_contexts: input://tree/etc/selinux/targeted/contexts/files/file_contexts
+          target: mount://root/
+        inputs:
+          tree:
+            type: org.osbuild.tree
+            origin: org.osbuild.pipeline
+            references:
+              - name:build
+        devices:
+          disk:
+            type: org.osbuild.loopback
+            options:
+              filename: disk.img
+              partscan: true
+        mounts:
+          - name: root
+            type: org.osbuild.xfs
+            source: disk
+            partition:
+              mpp-format-int: '{image.layout[''root''].partnum}'
+            target: /
+      - type: org.osbuild.selinux
+        options:
+          file_contexts: input://tree/etc/selinux/targeted/contexts/files/file_contexts
+          target: mount://root/boot/
+        inputs:
+          tree:
+            type: org.osbuild.tree
+            origin: org.osbuild.pipeline
+            references:
+              - name:build
         devices:
           disk:
             type: org.osbuild.loopback
@@ -345,7 +387,7 @@ pipelines:
             source: disk
             partition:
               mpp-format-int: '{image.layout[''root''].partnum}'
-            target: /sysroot
+            target: /
           - name: boot
             type: org.osbuild.ext4
             source: disk
@@ -495,6 +537,12 @@ pipelines:
             mpp-format-string: '{root_fs_uuid}'
           label:
             mpp-format-string: '{root_fs_label}'
+      # We've created the filesystems. Now let's create the mountpoints (directories)
+      # on the filesystems and label them with appropriate SELinux labels. This also
+      # covers things like filesystem autogenerated files like 'lost+found'. The labeling
+      # will happen once with just the root filesystem mounted and once with the boot
+      # filesystem mounted too (to make sure we get all potentially hidden mountpoints).
+      # https://github.com/coreos/fedora-coreos-tracker/issues/1771
       - type: org.osbuild.mkdir
         options:
           paths:
@@ -517,9 +565,14 @@ pipelines:
             target: /root-mount-point
       - type: org.osbuild.selinux
         options:
-          labels:
-            mount://root/boot: system_u:object_r:boot_t:s0
-            mount://boot/lost+found: system_u:object_r:lost_found_t:s0
+          file_contexts: input://tree/etc/selinux/targeted/contexts/files/file_contexts
+          target: mount://root/
+        inputs:
+          tree:
+            type: org.osbuild.tree
+            origin: org.osbuild.pipeline
+            references:
+              - name:build
         devices:
           disk:
             type: org.osbuild.loopback
@@ -534,7 +587,32 @@ pipelines:
             source: disk
             partition:
               mpp-format-int: '{image4k.layout[''root''].partnum}'
-            target: /sysroot
+            target: /
+      - type: org.osbuild.selinux
+        options:
+          file_contexts: input://tree/etc/selinux/targeted/contexts/files/file_contexts
+          target: mount://root/boot/
+        inputs:
+          tree:
+            type: org.osbuild.tree
+            origin: org.osbuild.pipeline
+            references:
+              - name:build
+        devices:
+          disk:
+            type: org.osbuild.loopback
+            options:
+              filename: disk.img
+              partscan: true
+              sector-size:
+                  mpp-format-int: "{four_k_sector_size}"
+        mounts:
+          - name: root
+            type: org.osbuild.xfs
+            source: disk
+            partition:
+              mpp-format-int: '{image4k.layout[''root''].partnum}'
+            target: /
           - name: boot
             type: org.osbuild.ext4
             source: disk