Skip to content

bootc: Fix selinux labeling when using separate build container#2092

Merged
thozza merged 1 commit intoosbuild:mainfrom
alexlarsson:fix-selinux-policy-for-container
Dec 16, 2025
Merged

bootc: Fix selinux labeling when using separate build container#2092
thozza merged 1 commit intoosbuild:mainfrom
alexlarsson:fix-selinux-policy-for-container

Conversation

@alexlarsson
Copy link
Contributor

@alexlarsson alexlarsson commented Dec 15, 2025

When the build container and the target container are using different selinux policies we need to label them as such. The build container needs to be labeled with img.OSCustomizations.BuildSELinux, and the "target" container should be labeled with the same policy as the source target.

Currently we're using the build policy for both, and in the case where the source container doesn't include that policy it fails. For example, if the build container is using the targeted policy, but the bootc source image only has the automotive policy, then the relabeling in the target pipeline atm fails with "targeted policy not found".

@alexlarsson alexlarsson requested a review from a team as a code owner December 15, 2025 15:08
@alexlarsson
bootc: Fix selinux labeling when using separate build container
5cba901 
When the build container and the target container are using different
selinux policies we need to label them as such. The build container
needs to be labeled with img.OSCustomizations.BuildSELinux,
and the "target" container should be labeled with the same policy
as the source target.

Currently we're using the build policy for both, and in the case where
the source container doesn't include that policy it fails.  For
example, if the build container is using the targeted policy, but the
bootc source image only has the automotive policy, then the relabeling
in the target pipeline atm fails with "targeted policy not found".
@alexlarsson alexlarsson force-pushed the fix-selinux-policy-for-container branch from 63bb58e to 5cba901 Compare December 15, 2025 15:22
supakeen
supakeen approved these changes Dec 15, 2025
View reviewed changes
Copy link
Member

@supakeen supakeen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Makes sense. Thanks.

@mvo5 mvo5 enabled auto-merge December 15, 2025 16:58
@mvo5 mvo5 added this pull request to the merge queue Dec 15, 2025
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to failed status checks Dec 15, 2025
thozza
thozza approved these changes Dec 16, 2025
View reviewed changes
Copy link
Member

@thozza thozza left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@thozza thozza added this pull request to the merge queue Dec 16, 2025
Merged via the queue into osbuild:main with commit c112eb2 Dec 16, 2025
23 checks passed
croissanne added a commit to croissanne/osbuild-composer that referenced this pull request Jan 21, 2026
@croissanne
go.mod: update images to v0.231.0
b4d54d5 
Changes with 0.231.0
----------------
  - Drop iommu.strict=0 from aarch64 EC2 images (osbuild/images#2090)
    - Author: Achilleas Koutsou, Reviewers: Lukáš Zapletal, Simon de Vlieger, Tomáš Hozza
  - bootc: Fix selinux labeling when using separate build container (osbuild/images#2092)
    - Author: Alexander Larsson, Reviewers: Lukáš Zapletal, Simon de Vlieger, Tomáš Hozza
  - ci: resolve dubious ownership for git (osbuild/images#2100)
    - Author: Lukáš Zapletal, Reviewers: Achilleas Koutsou, Michael Vogt
  - data: import RH v4 key on rhel-10.1+ only (osbuild/images#2097)
    - Author: Michael Vogt, Reviewers: Lukáš Zapletal, Simon de Vlieger
  - distrodefs: drop `use_syslinux` as it has no effect (osbuild/images#2088)
    - Author: Michael Vogt, Reviewers: Lukáš Zapletal, Simon de Vlieger
  - fedora: /boot on btrfs for Fedora Cloud 44 (HMS-9737) (osbuild/images#1960)
    - Author: Simon de Vlieger, Reviewers: Lukáš Zapletal, Neal Gompa (ニール・ゴンパ), Tomáš Hozza
  - fedora: add `server-network-installer` (osbuild/images#2094)
    - Author: Simon de Vlieger, Reviewers: Lukáš Zapletal, Tomáš Hozza
  - installer: only install `syslinux` when needed (osbuild/images#2089)
    - Author: Simon de Vlieger, Reviewers: Lukáš Zapletal, Tomáš Hozza
  - manifest: add `set -e` to `bootc switch...` kickstart %post (osbuild/images#2093)
    - Author: Michael Vogt, Reviewers: Lukáš Zapletal, Simon de Vlieger, Tomáš Hozza
  - many: include legal and license files in ISO (osbuild/images#2099)
    - Author: Simon de Vlieger, Reviewers: Lukáš Zapletal, Tomáš Hozza
  - osbuild: drop `valueIn` helper (osbuild/images#2086)
    - Author: Michael Vogt, Reviewers: Brian C. Lane, Simon de Vlieger
  - readme: update link to image definitions (osbuild/images#2070)
    - Author: Anna Vítová, Reviewers: Achilleas Koutsou, Lukáš Zapletal, Simon de Vlieger, Tomáš Hozza
  - test: cross arch build/boot smoke test for ppc64le,s390x (osbuild/images#2069)
    - Author: Michael Vogt, Reviewers: Lukáš Zapletal, Simon de Vlieger, Tomáš Hozza
achilleas-k pushed a commit to osbuild/osbuild-composer that referenced this pull request Jan 21, 2026
@croissanne @achilleas-k
go.mod: update images to v0.231.0
e296d0e 
Changes with 0.231.0
----------------
  - Drop iommu.strict=0 from aarch64 EC2 images (osbuild/images#2090)
    - Author: Achilleas Koutsou, Reviewers: Lukáš Zapletal, Simon de Vlieger, Tomáš Hozza
  - bootc: Fix selinux labeling when using separate build container (osbuild/images#2092)
    - Author: Alexander Larsson, Reviewers: Lukáš Zapletal, Simon de Vlieger, Tomáš Hozza
  - ci: resolve dubious ownership for git (osbuild/images#2100)
    - Author: Lukáš Zapletal, Reviewers: Achilleas Koutsou, Michael Vogt
  - data: import RH v4 key on rhel-10.1+ only (osbuild/images#2097)
    - Author: Michael Vogt, Reviewers: Lukáš Zapletal, Simon de Vlieger
  - distrodefs: drop `use_syslinux` as it has no effect (osbuild/images#2088)
    - Author: Michael Vogt, Reviewers: Lukáš Zapletal, Simon de Vlieger
  - fedora: /boot on btrfs for Fedora Cloud 44 (HMS-9737) (osbuild/images#1960)
    - Author: Simon de Vlieger, Reviewers: Lukáš Zapletal, Neal Gompa (ニール・ゴンパ), Tomáš Hozza
  - fedora: add `server-network-installer` (osbuild/images#2094)
    - Author: Simon de Vlieger, Reviewers: Lukáš Zapletal, Tomáš Hozza
  - installer: only install `syslinux` when needed (osbuild/images#2089)
    - Author: Simon de Vlieger, Reviewers: Lukáš Zapletal, Tomáš Hozza
  - manifest: add `set -e` to `bootc switch...` kickstart %post (osbuild/images#2093)
    - Author: Michael Vogt, Reviewers: Lukáš Zapletal, Simon de Vlieger, Tomáš Hozza
  - many: include legal and license files in ISO (osbuild/images#2099)
    - Author: Simon de Vlieger, Reviewers: Lukáš Zapletal, Tomáš Hozza
  - osbuild: drop `valueIn` helper (osbuild/images#2086)
    - Author: Michael Vogt, Reviewers: Brian C. Lane, Simon de Vlieger
  - readme: update link to image definitions (osbuild/images#2070)
    - Author: Anna Vítová, Reviewers: Achilleas Koutsou, Lukáš Zapletal, Simon de Vlieger, Tomáš Hozza
  - test: cross arch build/boot smoke test for ppc64le,s390x (osbuild/images#2069)
    - Author: Michael Vogt, Reviewers: Lukáš Zapletal, Simon de Vlieger, Tomáš Hozza
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lzap lzap lzap approved these changes

@thozza thozza thozza approved these changes

@supakeen supakeen supakeen approved these changes

@croissanne croissanne Awaiting requested review from croissanne croissanne is a code owner automatically assigned from osbuild/osbuild-reviewers

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@alexlarsson @lzap @thozza @supakeen