build-library: Rework selinux setup

Move the selinux policy build to before 'write_contents' and 'zero
free space' are done so that the selinux modules are included in
those operations.  Also apply the selinux file lables as needed.

Signed-off-by: Geoff Levand <[email protected]>

Author: glevand

build_library/build_image_util.sh

@@ -506,6 +506,16 @@ EOF
         "${BUILD_DIR}/${image_kconfig}"
   fi
 
+  # Build the selinux policy and apply file labels.
+  if pkg_use_enabled coreos-base/coreos selinux; then
+    setup_qemu_static "${root_fs_dir}"
+    sudo chroot "${root_fs_dir}" /bin/bash << 'EOF'
+      (cd /usr/share/selinux/mcs && semodule -s mcs -i *.pp)
+      setfiles -F /usr/lib/selinux/mcs/contexts/files/file_contexts /usr/lib/modules
+EOF
+    clean_qemu_static "${root_fs_dir}"
+  fi
+
   write_contents "${root_fs_dir}" "${BUILD_DIR}/${image_contents}"
 
   # Zero all fs free space to make it more compressible so auto-update
@@ -515,13 +525,6 @@ EOF
     sudo fstrim "${root_fs_dir}/usr" || true
   fi
 
-  # Build the selinux policy
-  if pkg_use_enabled coreos-base/coreos selinux; then
-      setup_qemu_static "${root_fs_dir}"
-      sudo chroot "${root_fs_dir}" bash -c "cd /usr/share/selinux/mcs && semodule -s mcs -i *.pp"
-      clean_qemu_static "${root_fs_dir}"
-  fi
-
   # Make the filesystem un-mountable as read-write and setup verity.
   if [[ ${disable_read_write} -eq ${FLAGS_TRUE} ]]; then
     # Unmount /usr partition