base_image: add SELinux relabeling for Fedora virt-builder images

Fedora guest images created on Debian hosts fail to boot because the filesystem
lacks proper SELinux contexts. All binaries fail with exit code 127 (command not
found) as SELinux blocks execution of files with unlabeled_t context.

Add --selinux-relabel flag to virt-builder invocations when building Fedora
images. This flag applies correct SELinux contexts during image creation, before
first boot, ensuring all files have proper contexts when Fedora starts.

The flag is conditionally added only for Fedora guests using Jinja2 conditionals
in the task's argv parameter. This allows Fedora guests to boot successfully when
provisioned from non-SELinux hosts.

Generated-by: Claude AI
Signed-off-by: Daniel Gomez <[email protected]>

Author: dkruces

playbooks/roles/base_image/tasks/base-image.yml

@@ -49,6 +49,7 @@
       - "raw"
       - "--commands-from-file"
       - "{{ command_file.path }}"
+      - "{{ '--selinux-relabel' if (guestfs_fedora is defined and guestfs_fedora|bool) else '' }}"
     creates: "{{ base_image_pathname }}"
   when:
     - libvirt_uri_system|bool
@@ -68,6 +69,7 @@
       - "raw"
       - "--commands-from-file"
       - "{{ command_file.path }}"
+      - "{{ '--selinux-relabel' if (guestfs_fedora is defined and guestfs_fedora|bool) else '' }}"
     creates: "{{ base_image_pathname }}"
   when:
     - not libvirt_uri_system|bool