install: Add final SELinux relabel of the physical root filesystem

jeckersb · jeckersb · commit fb29b58e91d7 · 2026-03-02T20:11:41.000-05:00
Perform a full SELinux relabel pass over the physical root filesystem as
the very last step before filesystem finalization. This ensures all files
on the physical root have correct SELinux labels.

The ostree/deploy directory is skipped since its contents are already
correctly labeled as part of the container image deployment. If
ostree/deploy doesn't exist (e.g. composefs backend), the entire tree is
relabeled.

Assisted-by: OpenCode (claude-opus-4-6)
Signed-off-by: John Eckersberg &lt;jeckersb@redhat.com&gt;
diff --git a/crates/lib/src/install.rs b/crates/lib/src/install.rs
@@ -1970,6 +1970,33 @@ async fn install_to_filesystem_impl(
         ostree_install(state, rootfs, cleanup).await?;
     }
 
+    // As the very last step before filesystem finalization, do a full SELinux
+    // relabel of the physical root filesystem.  We skip ostree/deploy because
+    // the contents there are already correctly labeled as part of the
+    // container image deployment.
+    if let Some(policy) = state.load_policy()? {
+        tracing::info!("Performing final SELinux relabeling of physical root");
+        let skip_devino = if let Some(deploy_dir) =
+            rootfs.physical_root.open_dir_optional("ostree/deploy")?
+        {
+            let deploy_meta = deploy_dir.dir_metadata()?;
+            Some((deploy_meta.dev(), deploy_meta.ino()))
+        } else {
+            tracing::debug!("No ostree/deploy directory found; relabeling everything");
+            None
+        };
+        let mut path = Utf8PathBuf::from("");
+        crate::lsm::ensure_dir_labeled_recurse(
+            &rootfs.physical_root,
+            &mut path,
+            &policy,
+            skip_devino,
+        )
+        .context("Final SELinux relabeling of physical root")?;
+    } else {
+        tracing::debug!("Skipping final SELinux relabel (SELinux is disabled)");
+    }
+
     // Finalize mounted filesystems
     if !rootfs.skip_finalize {
         let bootfs = rootfs.boot.as_ref().map(|_| ("boot", "boot"));
