coreos
diff --git a/‎src/osbuild-manifests/coreos.osbuild.aarch64.mpp.yaml‎
Lines changed: 89 additions & 13 deletions b/‎src/osbuild-manifests/coreos.osbuild.aarch64.mpp.yaml‎
Lines changed: 89 additions & 13 deletions
diff --git a/‎src/osbuild-manifests/coreos.osbuild.ppc64le.mpp.yaml‎
Lines changed: 88 additions & 11 deletions b/‎src/osbuild-manifests/coreos.osbuild.ppc64le.mpp.yaml‎
Lines changed: 88 additions & 11 deletions
@@ -110,7 +110,9 @@ pipelines:
         else:
           type: org.osbuild.noop
   # Construct a buildroot here from the input container reference (either
-  # ociarchive or registry/tag). Note that it won't actually be built
+  # ociarchive or registry/tag). Note that this is only used as a buildroot
+  # on RHCOS (FCOS doesn't ship python), but it is used everywhere as
+  # file_context input to the org.osbuild.selinux stages.
   # unless used somewhere later in the manifest.
   - name: build
     stages:
@@ -143,8 +145,14 @@ pipelines:
       # https://github.com/coreos/fedora-coreos-tracker/issues/1772
       - type: org.osbuild.selinux
         options:
-          labels:
-            /: system_u:object_r:root_t:s0
+          file_contexts: input://tree/etc/selinux/targeted/contexts/files/file_contexts
+          target: tree:///
+        inputs:
+          tree:
+            type: org.osbuild.tree
+            origin: org.osbuild.pipeline
+            references:
+              - name:build
       - type: org.osbuild.ostree.init-fs
       - type: org.osbuild.ostree.os-init
         options:
@@ -317,6 +325,12 @@ pipelines:
             mpp-format-string: '{root_fs_uuid}'
           label:
             mpp-format-string: '{root_fs_label}'
+      # We've created the filesystems. Now let's create the mountpoints (directories)
+      # on the filesystems and label them with appropriate SELinux labels. This also
+      # covers things like filesystem autogenerated files like 'lost+found'. The labeling
+      # will happen once with just the root filesystem mounted and once with the boot
+      # filesystem mounted too (to make sure we get all potentially hidden mountpoints).
+      # https://github.com/coreos/fedora-coreos-tracker/issues/1771
       - type: org.osbuild.mkdir
         options:
           paths:
@@ -345,10 +359,37 @@ pipelines:
             target: /boot-mount-point
       - type: org.osbuild.selinux
         options:
-          labels:
-            mount://root/boot: system_u:object_r:boot_t:s0
-            mount://boot/efi: system_u:object_r:boot_t:s0
-            mount://boot/lost+found: system_u:object_r:lost_found_t:s0
+          file_contexts: input://tree/etc/selinux/targeted/contexts/files/file_contexts
+          target: mount://root/
+        inputs:
+          tree:
+            type: org.osbuild.tree
+            origin: org.osbuild.pipeline
+            references:
+              - name:build
+        devices:
+          disk:
+            type: org.osbuild.loopback
+            options:
+              filename: disk.img
+              partscan: true
+        mounts:
+          - name: root
+            type: org.osbuild.xfs
+            source: disk
+            partition:
+              mpp-format-int: '{image.layout[''root''].partnum}'
+            target: /
+      - type: org.osbuild.selinux
+        options:
+          file_contexts: input://tree/etc/selinux/targeted/contexts/files/file_contexts
+          target: mount://root/boot/
+        inputs:
+          tree:
+            type: org.osbuild.tree
+            origin: org.osbuild.pipeline
+            references:
+              - name:build
         devices:
           disk:
             type: org.osbuild.loopback
@@ -361,7 +402,7 @@ pipelines:
             source: disk
             partition:
               mpp-format-int: '{image.layout[''root''].partnum}'
-            target: /sysroot
+            target: /
           - name: boot
             type: org.osbuild.ext4
             source: disk
@@ -534,6 +575,12 @@ pipelines:
             mpp-format-string: '{root_fs_uuid}'
           label:
             mpp-format-string: '{root_fs_label}'
+      # We've created the filesystems. Now let's create the mountpoints (directories)
+      # on the filesystems and label them with appropriate SELinux labels. This also
+      # covers things like filesystem autogenerated files like 'lost+found'. The labeling
+      # will happen once with just the root filesystem mounted and once with the boot
+      # filesystem mounted too (to make sure we get all potentially hidden mountpoints).
+      # https://github.com/coreos/fedora-coreos-tracker/issues/1771
       - type: org.osbuild.mkdir
         options:
           paths:
@@ -564,10 +611,14 @@ pipelines:
             target: /boot-mount-point
       - type: org.osbuild.selinux
         options:
-          labels:
-            mount://root/boot: system_u:object_r:boot_t:s0
-            mount://boot/efi: system_u:object_r:boot_t:s0
-            mount://boot/lost+found: system_u:object_r:lost_found_t:s0
+          file_contexts: input://tree/etc/selinux/targeted/contexts/files/file_contexts
+          target: mount://root/
+        inputs:
+          tree:
+            type: org.osbuild.tree
+            origin: org.osbuild.pipeline
+            references:
+              - name:build
         devices:
           disk:
             type: org.osbuild.loopback
@@ -582,7 +633,32 @@ pipelines:
             source: disk
             partition:
               mpp-format-int: '{image4k.layout[''root''].partnum}'
-            target: /sysroot
+            target: /
+      - type: org.osbuild.selinux
+        options:
+          file_contexts: input://tree/etc/selinux/targeted/contexts/files/file_contexts
+          target: mount://root/boot/
+        inputs:
+          tree:
+            type: org.osbuild.tree
+            origin: org.osbuild.pipeline
+            references:
+              - name:build
+        devices:
+          disk:
+            type: org.osbuild.loopback
+            options:
+              filename: disk.img
+              partscan: true
+              sector-size:
+                  mpp-format-int: "{four_k_sector_size}"
+        mounts:
+          - name: root
+            type: org.osbuild.xfs
+            source: disk
+            partition:
+              mpp-format-int: '{image4k.layout[''root''].partnum}'
+            target: /
           - name: boot
             type: org.osbuild.ext4
             source: disk
 
@@ -112,7 +112,9 @@ pipelines:
         else:
           type: org.osbuild.noop
   # Construct a buildroot here from the input container reference (either
-  # ociarchive or registry/tag). Note that it won't actually be built
+  # ociarchive or registry/tag). Note that this is only used as a buildroot
+  # on RHCOS (FCOS doesn't ship python), but it is used everywhere as
+  # file_context input to the org.osbuild.selinux stages.
   # unless used somewhere later in the manifest.
   - name: build
     stages:
@@ -145,8 +147,14 @@ pipelines:
       # https://github.com/coreos/fedora-coreos-tracker/issues/1772
       - type: org.osbuild.selinux
         options:
-          labels:
-            /: system_u:object_r:root_t:s0
+          file_contexts: input://tree/etc/selinux/targeted/contexts/files/file_contexts
+          target: tree:///
+        inputs:
+          tree:
+            type: org.osbuild.tree
+            origin: org.osbuild.pipeline
+            references:
+              - name:build
       - type: org.osbuild.ostree.init-fs
       - type: org.osbuild.ostree.os-init
         options:
@@ -310,6 +318,12 @@ pipelines:
             mpp-format-string: '{root_fs_uuid}'
           label:
             mpp-format-string: '{root_fs_label}'
+      # We've created the filesystems. Now let's create the mountpoints (directories)
+      # on the filesystems and label them with appropriate SELinux labels. This also
+      # covers things like filesystem autogenerated files like 'lost+found'. The labeling
+      # will happen once with just the root filesystem mounted and once with the boot
+      # filesystem mounted too (to make sure we get all potentially hidden mountpoints).
+      # https://github.com/coreos/fedora-coreos-tracker/issues/1771
       - type: org.osbuild.mkdir
         options:
           paths:
@@ -330,9 +344,37 @@ pipelines:
             target: /root-mount-point
       - type: org.osbuild.selinux
         options:
-          labels:
-            mount://root/boot: system_u:object_r:boot_t:s0
-            mount://boot/lost+found: system_u:object_r:lost_found_t:s0
+          file_contexts: input://tree/etc/selinux/targeted/contexts/files/file_contexts
+          target: mount://root/
+        inputs:
+          tree:
+            type: org.osbuild.tree
+            origin: org.osbuild.pipeline
+            references:
+              - name:build
+        devices:
+          disk:
+            type: org.osbuild.loopback
+            options:
+              filename: disk.img
+              partscan: true
+        mounts:
+          - name: root
+            type: org.osbuild.xfs
+            source: disk
+            partition:
+              mpp-format-int: '{image.layout[''root''].partnum}'
+            target: /
+      - type: org.osbuild.selinux
+        options:
+          file_contexts: input://tree/etc/selinux/targeted/contexts/files/file_contexts
+          target: mount://root/boot/
+        inputs:
+          tree:
+            type: org.osbuild.tree
+            origin: org.osbuild.pipeline
+            references:
+              - name:build
         devices:
           disk:
             type: org.osbuild.loopback
@@ -345,7 +387,7 @@ pipelines:
             source: disk
             partition:
               mpp-format-int: '{image.layout[''root''].partnum}'
-            target: /sysroot
+            target: /
           - name: boot
             type: org.osbuild.ext4
             source: disk
@@ -495,6 +537,11 @@ pipelines:
             mpp-format-string: '{root_fs_uuid}'
           label:
             mpp-format-string: '{root_fs_label}'
+      # We've created the filesystems. Now let's create the mountpoints (directories)
+      # on the filesystems and label them with appropriate SELinux labels. The labeling
+      # will happen once with just the root filesystem mounted and once with the boot
+      # filesystem mounted too (to make sure we get all potentially hidden mountpoints).
+      # https://github.com/coreos/fedora-coreos-tracker/issues/1771
       - type: org.osbuild.mkdir
         options:
           paths:
@@ -517,9 +564,14 @@ pipelines:
             target: /root-mount-point
       - type: org.osbuild.selinux
         options:
-          labels:
-            mount://root/boot: system_u:object_r:boot_t:s0
-            mount://boot/lost+found: system_u:object_r:lost_found_t:s0
+          file_contexts: input://tree/etc/selinux/targeted/contexts/files/file_contexts
+          target: mount://root/
+        inputs:
+          tree:
+            type: org.osbuild.tree
+            origin: org.osbuild.pipeline
+            references:
+              - name:build
         devices:
           disk:
             type: org.osbuild.loopback
@@ -534,7 +586,32 @@ pipelines:
             source: disk
             partition:
               mpp-format-int: '{image4k.layout[''root''].partnum}'
-            target: /sysroot
+            target: /
+      - type: org.osbuild.selinux
+        options:
+          file_contexts: input://tree/etc/selinux/targeted/contexts/files/file_contexts
+          target: mount://root/boot/
+        inputs:
+          tree:
+            type: org.osbuild.tree
+            origin: org.osbuild.pipeline
+            references:
+              - name:build
+        devices:
+          disk:
+            type: org.osbuild.loopback
+            options:
+              filename: disk.img
+              partscan: true
+              sector-size:
+                  mpp-format-int: "{four_k_sector_size}"
+        mounts:
+          - name: root
+            type: org.osbuild.xfs
+            source: disk
+            partition:
+              mpp-format-int: '{image4k.layout[''root''].partnum}'
+            target: /
           - name: boot
             type: org.osbuild.ext4
             source: disk