base_image: force SELinux relabeling for Fedora on Debian hosts

dkruces · dkruces · commit 49b89e36fcdf · 2025-10-27T15:31:31.000+01:00
Fedora guest images created on Debian hosts fail to boot with exit code 127
errors because the filesystem lacks proper SELinux contexts. All files have
unlabeled_t context causing SELinux to block all binary execution.

virt-builder's --selinux-relabel flag is a no-op compatibility option. While
virt-builder attempts automatic relabeling, it fails silently on non-SELinux
hosts and falls back to creating /.autorelabel, which triggers a chicken-and-egg
problem where the relabeling service itself cannot execute.

Add a post-processing step that runs virt-customize --selinux-relabel after
virt-builder creates the image. This runs only when building Fedora guests on
Debian/Ubuntu hosts, ensuring proper SELinux contexts before first boot.

The implementation uses separate register variables for system and user libvirt
tasks to avoid overwriting results, and checks ansible_distribution instead of
os_family for more reliable Debian detection.

Generated-by: Claude AI
Signed-off-by: Daniel Gomez &lt;da.gomez@samsung.com&gt;
diff --git a/playbooks/roles/base_image/tasks/base-image.yml b/playbooks/roles/base_image/tasks/base-image.yml
@@ -52,6 +52,7 @@
     creates: "{{ base_image_pathname }}"
   when:
     - libvirt_uri_system|bool
+  register: virt_builder_result_system
 
 - name: Generate a new base image for {{ base_image_os_version }}
   ansible.builtin.command:
@@ -71,6 +72,37 @@
     creates: "{{ base_image_pathname }}"
   when:
     - not libvirt_uri_system|bool
+  register: virt_builder_result_user
+
+- name: Force SELinux relabeling for Fedora images on non-SELinux hosts (system libvirt)
+  become: true
+  become_method: ansible.builtin.sudo
+  ansible.builtin.command:
+    argv:
+      - "virt-customize"
+      - "-a"
+      - "{{ base_image_pathname }}"
+      - "--selinux-relabel"
+  when:
+    - libvirt_uri_system|bool
+    - guestfs_fedora is defined
+    - guestfs_fedora|bool
+    - ansible_distribution|lower in ['debian', 'ubuntu']
+    - virt_builder_result_system is changed
+
+- name: Force SELinux relabeling for Fedora images on non-SELinux hosts (user libvirt)
+  ansible.builtin.command:
+    argv:
+      - "virt-customize"
+      - "-a"
+      - "{{ base_image_pathname }}"
+      - "--selinux-relabel"
+  when:
+    - not libvirt_uri_system|bool
+    - guestfs_fedora is defined
+    - guestfs_fedora|bool
+    - ansible_distribution|lower in ['debian', 'ubuntu']
+    - virt_builder_result_user is changed
 
 - name: Set proper ownership on base image for rcloud access (system libvirt)
   become: true
