aarch64: upgrade causes SELinux mislabeled dtb files in /boot/ostree

[dustymabe]

On upgrades it appears files in dtb files in /boot on aarch64 systems have the wrong context. It looks like the context matches where the files are copied from rather than the paths they are being copied to.

When booted from the fresh 40.20240825.3.0 stable image (i.e. the release from a few weeks back):

Fedora CoreOS 40.20240825.3.0
[core@cosa-devsh ~]$
[core@cosa-devsh ~]$ sudo restorecon -vnr /boot/ostree/
[core@cosa-devsh ~]$

After upgrade to latest stable:

Fedora CoreOS 40.20240906.3.0
[core@cosa-devsh ~]$
[core@cosa-devsh ~]$ rpm-ostree status
State: idle
AutomaticUpdatesDriver: Zincati
  DriverState: active; periodically polling for updates (last checked Fri 2024-10-04 16:07:17 UTC)
Deployments:
_ fedora:fedora/aarch64/coreos/stable
                  Version: 40.20240906.3.0 (2024-09-23T18:11:19Z)
                   Commit: aad86a6390dbcf8caab4390e14854b2d6ddfa2b6885d5d3dfc7511bd431ba0ae
             GPGSignature: Valid signature by 115DF9AEF857853EE8445D0A0727707EA15B79CC

  fedora:fedora/aarch64/coreos/stable
                  Version: 40.20240825.3.0 (2024-09-10T00:49:47Z)
                   Commit: a0e2520be57c71a0d459fee831b1e9eb0f9aea02b4d05d2fe7b8f66b8678471a
             GPGSignature: Valid signature by 115DF9AEF857853EE8445D0A0727707EA15B79CC



[core@cosa-devsh ~]$ sudo restorecon -vnr /boot/ostree/ | wc -l
1866


[core@cosa-devsh ~]$ sudo restorecon -vnr /boot/ostree/ | head
Would relabel /boot/ostree/fedora-coreos-3bdd09e36aecabd4d88e93b696c885903cde80cbdadc32861bc59881a26cf953/dtb from system_u:object_r:modules_object_t:s0 to system_u:object_r:boot_t:s0
Would relabel /boot/ostree/fedora-coreos-3bdd09e36aecabd4d88e93b696c885903cde80cbdadc32861bc59881a26cf953/dtb/marvell from system_u:object_r:modules_object_t:s0 to system_u:object_r:boot_t:s0
Would relabel /boot/ostree/fedora-coreos-3bdd09e36aecabd4d88e93b696c885903cde80cbdadc32861bc59881a26cf953/dtb/marvell/cn9132-db-B.dtb from system_u:object_r:modules_object_t:s0 to system_u:object_r:boot_t:s0
Would relabel /boot/ostree/fedora-coreos-3bdd09e36aecabd4d88e93b696c885903cde80cbdadc32861bc59881a26cf953/dtb/marvell/armada-3720-uDPU.dtb from system_u:object_r:modules_object_t:s0 to system_u:object_r:boot_t:s0
Would relabel /boot/ostree/fedora-coreos-3bdd09e36aecabd4d88e93b696c885903cde80cbdadc32861bc59881a26cf953/dtb/marvell/cn9130-crb-B.dtb from system_u:object_r:modules_object_t:s0 to system_u:object_r:boot_t:s0
Would relabel /boot/ostree/fedora-coreos-3bdd09e36aecabd4d88e93b696c885903cde80cbdadc32861bc59881a26cf953/dtb/marvell/armada-7040-mochabin.dtb from system_u:object_r:modules_object_t:s0 to system_u:object_r:boot_t:s0
Would relabel /boot/ostree/fedora-coreos-3bdd09e36aecabd4d88e93b696c885903cde80cbdadc32861bc59881a26cf953/dtb/marvell/armada-3720-gl-mv1000.dtb from system_u:object_r:modules_object_t:s0 to system_u:object_r:boot_t:s0
Would relabel /boot/ostree/fedora-coreos-3bdd09e36aecabd4d88e93b696c885903cde80cbdadc32861bc59881a26cf953/dtb/marvell/armada-7040-db.dtb from system_u:object_r:modules_object_t:s0 to system_u:object_r:boot_t:s0
Would relabel /boot/ostree/fedora-coreos-3bdd09e36aecabd4d88e93b696c885903cde80cbdadc32861bc59881a26cf953/dtb/marvell/cn9131-db-B.dtb from system_u:object_r:modules_object_t:s0 to system_u:object_r:boot_t:s0
Would relabel /boot/ostree/fedora-coreos-3bdd09e36aecabd4d88e93b696c885903cde80cbdadc32861bc59881a26cf953/dtb/marvell/armada-3720-espressobin-v7-emmc.dtb from system_u:object_r:modules_object_t:s0 to system_u:object_r:boot_t:s0

So they are modules_object_t versus the policy expecting them to be boot_t. Not sure if this is a real problem or not.

Note I think this happens even on upgrades where there is no kernel update.