base_image: force SELinux relabeling for Fedora on Debian hosts

Fedora guest images created on Debian hosts fail to boot with exit code 127
errors because the filesystem lacks proper SELinux contexts. All files have
unlabeled_t context causing SELinux to block all binary execution.

virt-builder's --selinux-relabel flag is a no-op compatibility option. While
virt-builder attempts automatic relabeling, it fails silently on non-SELinux
hosts and falls back to creating /.autorelabel, which triggers a chicken-and-egg
problem where the relabeling service itself cannot execute.

Add a post-processing step that runs virt-customize --selinux-relabel after
virt-builder creates the image. This runs only when building Fedora guests on
Debian hosts, ensuring proper SELinux contexts before first boot. virt-customize
has the actual working implementation of SELinux relabeling.

Generated-by: Claude AI
Signed-off-by: Daniel Gomez <[email protected]>

Author: dkruces

playbooks/roles/base_image/tasks/base-image.yml

@@ -52,6 +52,7 @@
     creates: "{{ base_image_pathname }}"
   when:
     - libvirt_uri_system|bool
+  register: virt_builder_result
 
 - name: Generate a new base image for {{ base_image_os_version }}
   ansible.builtin.command:
@@ -71,6 +72,37 @@
     creates: "{{ base_image_pathname }}"
   when:
     - not libvirt_uri_system|bool
+  register: virt_builder_result
+
+- name: Force SELinux relabeling for Fedora images on non-SELinux hosts
+  become: true
+  become_method: ansible.builtin.sudo
+  ansible.builtin.command:
+    argv:
+      - "virt-customize"
+      - "-a"
+      - "{{ base_image_pathname }}"
+      - "--selinux-relabel"
+  when:
+    - libvirt_uri_system|bool
+    - guestfs_fedora is defined
+    - guestfs_fedora|bool
+    - ansible_facts['os_family']|lower == 'debian'
+    - virt_builder_result is changed
+
+- name: Force SELinux relabeling for Fedora images on non-SELinux hosts
+  ansible.builtin.command:
+    argv:
+      - "virt-customize"
+      - "-a"
+      - "{{ base_image_pathname }}"
+      - "--selinux-relabel"
+  when:
+    - not libvirt_uri_system|bool
+    - guestfs_fedora is defined
+    - guestfs_fedora|bool
+    - ansible_facts['os_family']|lower == 'debian'
+    - virt_builder_result is changed
 
 - name: Set proper ownership on base image for rcloud access (system libvirt)
   become: true