base_image: add SELinux relabeling for Fedora virt-builder images

Fedora guest images created on Debian hosts fail to boot because the filesystem
lacks proper SELinux contexts. All binaries fail with exit code 127 (command not
found) as SELinux blocks execution of files with unlabeled_t context.

Add --selinux-relabel flag to virt-builder invocations when building Fedora
images. This flag applies correct SELinux contexts during image creation, before
first boot, ensuring all files have proper contexts when Fedora starts.

The implementation uses separate tasks for Fedora and non-Fedora builds rather
than conditional argv construction to avoid passing empty string arguments. This
ensures the flag is only present for Fedora builds and cleanly omitted otherwise.

Generated-by: Claude AI
Signed-off-by: Daniel Gomez <[email protected]>

Author: dkruces

playbooks/roles/base_image/tasks/base-image.yml

@@ -32,6 +32,30 @@
     dest: "{{ command_file.path }}"
     mode: "u=rw"
 
+- name: Generate a new base image for {{ base_image_os_version }} (Fedora with SELinux relabeling)
+  become: true
+  become_method: ansible.builtin.sudo
+  ansible.builtin.command:
+    argv:
+      - "virt-builder"
+      - "{{ base_image_os_version }}"
+      - "--arch"
+      - "{{ ansible_machine }}"
+      - "-o"
+      - "{{ base_image_pathname }}"
+      - "--size"
+      - "{{ libvirt_image_size }}"
+      - "--format"
+      - "raw"
+      - "--commands-from-file"
+      - "{{ command_file.path }}"
+      - "--selinux-relabel"
+    creates: "{{ base_image_pathname }}"
+  when:
+    - libvirt_uri_system|bool
+    - guestfs_fedora is defined
+    - guestfs_fedora|bool
+
 - name: Generate a new base image for {{ base_image_os_version }}
   become: true
   become_method: ansible.builtin.sudo
@@ -52,6 +76,29 @@
     creates: "{{ base_image_pathname }}"
   when:
     - libvirt_uri_system|bool
+    - not (guestfs_fedora is defined and guestfs_fedora|bool)
+
+- name: Generate a new base image for {{ base_image_os_version }} (Fedora with SELinux relabeling)
+  ansible.builtin.command:
+    argv:
+      - "virt-builder"
+      - "{{ base_image_os_version }}"
+      - "--arch"
+      - "{{ ansible_machine }}"
+      - "-o"
+      - "{{ base_image_pathname }}"
+      - "--size"
+      - "{{ libvirt_image_size }}"
+      - "--format"
+      - "raw"
+      - "--commands-from-file"
+      - "{{ command_file.path }}"
+      - "--selinux-relabel"
+    creates: "{{ base_image_pathname }}"
+  when:
+    - not libvirt_uri_system|bool
+    - guestfs_fedora is defined
+    - guestfs_fedora|bool
 
 - name: Generate a new base image for {{ base_image_os_version }}
   ansible.builtin.command:
@@ -71,6 +118,7 @@
     creates: "{{ base_image_pathname }}"
   when:
     - not libvirt_uri_system|bool
+    - not (guestfs_fedora is defined and guestfs_fedora|bool)
 
 - name: Set proper ownership on base image for rcloud access (system libvirt)
   become: true