From 41cf4bf2d3795570f2ab2e1f6c4ebc86fd144279 Mon Sep 17 00:00:00 2001
From: Christian Kellner <christian@kellner.me>
Date: Wed, 12 Aug 2020 00:50:54 +0200
Subject: [PATCH] buildroot: ensure /sys/fs/selinux is read-only

Make sure "/sys/fs/selinux" is read-only, otherwise libselinux and
tools will assume that SELinux is available and active and in turn
use /sys/fs/selinux to e.g. verify the file systems labels; this
will then prevent setting unknown labels via `setfiles`.
---
 osbuild/buildroot.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/osbuild/buildroot.py b/osbuild/buildroot.py
index e210aee0..36fae65b 100644
--- a/osbuild/buildroot.py
+++ b/osbuild/buildroot.py
@@ -150,6 +150,7 @@ class BuildRoot(contextlib.AbstractContextManager):
         # Setup API file-systems.
         mounts += ["--proc", "/proc"]
         mounts += ["--bind", "/sys", "/sys"]
+        mounts += ["--ro-bind-try", "/sys/fs/selinux", "/sys/fs/selinux"]
 
         # We execute our own modules by bind-mounting them from the host into
         # the build-root. We have minimal requirements on the build-root, so