guestfs: relabel root image after virt-sysprep for Fedora on Debian

virt-sysprep modifies files in the root image (hostname, SSH keys, timezone, etc)
but those modified files don't get SELinux labels because virt-sysprep's
auto-relabeling is disabled with --no-selinux-relabel to avoid the chicken-and-egg
problem where relabeling fails on Debian hosts.

The complete workflow is now:
1. virt-builder creates base image (no SELinux labels)
2. virt-customize --selinux-relabel on base image (correct labels)
3. cp base to root.raw (labels preserved)
4. virt-sysprep customizes root.raw with --no-selinux-relabel (modified files unlabeled)
5. virt-customize --selinux-relabel on root.raw (NEW STEP - fixes all labels)

This ensures all files have correct SELinux contexts before boot, including files
created or modified by virt-sysprep. The relabeling runs on localhost with proper
conditions for Fedora guests on Debian/Ubuntu hosts.

Generated-by: Claude AI
Signed-off-by: Daniel Gomez <[email protected]>

Author: dkruces

playbooks/roles/guestfs/tasks/bringup/main.yml

@@ -112,6 +112,36 @@
       when:
         - not libvirt_uri_system|bool
 
+    - name: Relabel root image after virt-sysprep for Fedora on Debian (as root)
+      become: true
+      become_method: ansible.builtin.sudo
+      ansible.builtin.command:
+        argv:
+          - "virt-customize"
+          - "-a"
+          - "{{ root_image }}"
+          - "--selinux-relabel"
+      delegate_to: localhost
+      when:
+        - libvirt_uri_system|bool
+        - guestfs_fedora is defined
+        - guestfs_fedora|bool
+        - ansible_distribution|lower in ['debian', 'ubuntu']
+
+    - name: Relabel root image after virt-sysprep for Fedora on Debian (non-root)
+      ansible.builtin.command:
+        argv:
+          - "virt-customize"
+          - "-a"
+          - "{{ root_image }}"
+          - "--selinux-relabel"
+      delegate_to: localhost
+      when:
+        - not libvirt_uri_system|bool
+        - guestfs_fedora is defined
+        - guestfs_fedora|bool
+        - ansible_distribution|lower in ['debian', 'ubuntu']
+
     - name: Create largeio devices
       ansible.builtin.include_tasks:
         file: "{{ role_path }}/tasks/bringup/largeio.yml"