Ensure root_t label for /store

The way osbuild works is to synthesize a filesystem tree in the store, then copy it to the disk. This ensures the label for the store is `root_t` which ends up being the labeling for the "infrastructure" bits in the `/ostree` repository in the target root. This in turn is blocking a lot of things. Closes: #149
osbuild · Feb 13, 2024 · 2ecd928 · 2ecd928
1 parent 4bfb69b
commit 2ecd928
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 2 deletions.
diff --git a/bib/cmd/bootc-image-builder/main.go b/bib/cmd/bootc-image-builder/main.go
@@ -226,7 +226,7 @@ func cmdBuild(cmd *cobra.Command, args []string) error {
 	if err := setup.Validate(); err != nil {
 		return err
 	}
-	if err := setup.EnsureEnvironment(); err != nil {
+	if err := setup.EnsureEnvironment(osbuildStore); err != nil {
 		return err
 	}
 

diff --git a/bib/internal/setup/setup.go b/bib/internal/setup/setup.go
@@ -12,7 +12,7 @@ import (
 
 // EnsureEnvironment mutates external filesystem state as necessary
 // to run in a container environment.  This function is idempotent.
-func EnsureEnvironment() error {
+func EnsureEnvironment(storePath string) error {
 	osbuildPath := "/usr/bin/osbuild"
 	if util.IsMountpoint(osbuildPath) {
 		return nil
@@ -53,6 +53,14 @@ func EnsureEnvironment() error {
 	if err := util.RunCmdSync("mount", "--bind", destPath, osbuildPath); err != nil {
 		return err
 	}
+
+	// And we also forcibly label the store to ensure we're not grabbing container labels
+	rootType := "system_u:object_r:root_t:s0"
+	// This papers over the lack of ensuring correct labels for the /ostree root
+	// in the existing pipeline
+	if err := util.RunCmdSync("chcon", rootType, storePath); err != nil {
+		return err
+	}
 	return nil
 }