manifest: support force-relabel for SELinux in image config

The RHEL 7 images need to enable the force_autorelabel option for the SELinux stage in osbuild. This option should almost never be used but it was added specifically for RHEL 7. With the rewrite to the new definitions and the sharing of pipeline code between all distros, we need to add support to all stages of the pipeline generation to be able to enable it.
2023-01-24 19:02:29 +01:00 · 2023-01-24 19:02:29 +01:00 · d2114d0f9e
commit d2114d0f9e
parent 822571e28e
5 changed files with 13 additions and 3 deletions
--- a/internal/distro/image_config.go
+++ b/internal/distro/image_config.go
@ -31,6 +31,10 @@ type ImageConfig struct {
 	// Disable SELinux labelling
 	NoSElinux *bool

+	// Do not use. Forces auto-relabelling on first boot.
+	// See https://github.com/osbuild/osbuild/commit/52cb27631b587c1df177cd17625c5b473e1e85d2
+	SELinuxForceRelabel *bool
+
 	// Disable documentation
 	ExcludeDocs *bool

--- a/internal/distro/rhel7/azure.go
+++ b/internal/distro/rhel7/azure.go
@ -37,7 +37,8 @@ var azureDefaultImgConfig = &distro.ImageConfig{
 		"/etc/pki/rpm-gpg/RPM-GPG-KEY-microsoft-azure-release",
 		"/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release",
 	},
-	Authconfig: &osbuild.AuthconfigStageOptions{},
+	SELinuxForceRelabel: common.ToPtr(true),
+	Authconfig:          &osbuild.AuthconfigStageOptions{},
 	Sysconfig: []*osbuild.SysconfigStageOptions{
 		{
 			Kernel: &osbuild.SysconfigKernelOptions{
--- a/internal/distro/rhel7/images.go
+++ b/internal/distro/rhel7/images.go
@ -125,6 +125,7 @@ func osCustomizations(
 	// Relabel the tree, unless the `NoSElinux` flag is explicitly set to `true`
 	if imageConfig.NoSElinux == nil || imageConfig.NoSElinux != nil && !*imageConfig.NoSElinux {
 		osc.SElinux = "targeted"
+		osc.SELinuxForceRelabel = imageConfig.SELinuxForceRelabel
 	}

 	if oscapConfig := c.GetOpenSCAP(); oscapConfig != nil {
--- a/internal/distro/rhel7/qcow2.go
+++ b/internal/distro/rhel7/qcow2.go
@ -26,7 +26,8 @@ var qcow2ImgType = imageType{
 }

 var qcow2DefaultImgConfig = &distro.ImageConfig{
-	DefaultTarget: common.ToPtr("multi-user.target"),
+	DefaultTarget:       common.ToPtr("multi-user.target"),
+	SELinuxForceRelabel: common.ToPtr(true),
 	Sysconfig: []*osbuild.SysconfigStageOptions{
 		{
 			Kernel: &osbuild.SysconfigKernelOptions{
--- a/internal/manifest/os.go
+++ b/internal/manifest/os.go
@ -71,6 +71,8 @@ type OSCustomizations struct {
 	// selected profile
 	SElinux string

+	SELinuxForceRelabel *bool
+
 	// Do not install documentation
 	ExcludeDocs bool

@ -593,7 +595,8 @@ func (p *OS) serialize() osbuild.Pipeline {

 	if p.SElinux != "" {
 		pipeline.AddStage(osbuild.NewSELinuxStage(&osbuild.SELinuxStageOptions{
-			FileContexts: fmt.Sprintf("etc/selinux/%s/contexts/files/file_contexts", p.SElinux),
+			FileContexts:     fmt.Sprintf("etc/selinux/%s/contexts/files/file_contexts", p.SElinux),
+			ForceAutorelabel: p.SELinuxForceRelabel,
 		}))
 	}