From 9a1d0f3828c10e19616a88c96b9574e51561af72 Mon Sep 17 00:00:00 2001
From: Michael Vogt <michael.vogt@gmail.com>
Date: Tue, 25 Feb 2025 21:39:19 +0100
Subject: [PATCH] manifest: disable selinux when using a bootstrap container

We cannot make assumption about the container being used, so
disable selinux inside the bootstrap container.
---
 pkg/manifest/build.go | 30 +++++++++++++++++++-----------
 1 file changed, 19 insertions(+), 11 deletions(-)

diff --git a/pkg/manifest/build.go b/pkg/manifest/build.go
index fc6d911760..68a625d2a9 100644
--- a/pkg/manifest/build.go
+++ b/pkg/manifest/build.go
@@ -174,10 +174,11 @@ func maybeAddExperimentalContainerBootstrap(m *Manifest, runner runner.Runner, o
 	}
 	name := "bootstrap-buildroot"
 	bootstrapPipeline := &BuildrootFromContainer{
-		Base:       NewBase(name, nil),
-		runner:     runner,
-		dependents: make([]Pipeline, 0),
-		containers: cntSrcs,
+		Base:           NewBase(name, nil),
+		runner:         runner,
+		dependents:     make([]Pipeline, 0),
+		containers:     cntSrcs,
+		disableSelinux: true,
 	}
 	m.addPipeline(bootstrapPipeline)
 	build.build = bootstrapPipeline
@@ -193,6 +194,7 @@ type BuildrootFromContainer struct {
 	containerSpecs []container.Spec
 
 	containerBuildable bool
+	disableSelinux     bool
 }
 
 // NewBuildFromContainer creates a new build pipeline from the given
@@ -247,6 +249,10 @@ func (p *BuildrootFromContainer) serializeEnd() {
 }
 
 func (p *BuildrootFromContainer) getSELinuxLabels() map[string]string {
+	if p.disableSelinux {
+		return nil
+	}
+
 	labels := map[string]string{
 		"/usr/bin/ostree": "system_u:object_r:install_exec_t:s0",
 	}
@@ -276,13 +282,15 @@ func (p *BuildrootFromContainer) serialize() osbuild.Pipeline {
 		panic(err)
 	}
 	pipeline.AddStage(stage)
-	pipeline.AddStage(osbuild.NewSELinuxStage(
-		&osbuild.SELinuxStageOptions{
-			FileContexts: "etc/selinux/targeted/contexts/files/file_contexts",
-			ExcludePaths: []string{"/sysroot"},
-			Labels:       p.getSELinuxLabels(),
-		},
-	))
+	if !p.disableSelinux {
+		pipeline.AddStage(osbuild.NewSELinuxStage(
+			&osbuild.SELinuxStageOptions{
+				FileContexts: "etc/selinux/targeted/contexts/files/file_contexts",
+				ExcludePaths: []string{"/sysroot"},
+				Labels:       p.getSELinuxLabels(),
+			},
+		))
+	}
 
 	return pipeline
 }