Add support for forcing on selinux labels

[cgwalters]

Working on containers/bootc#1 I was experimenting with testing a FCOS install from the default GHA Ubuntu VM where SELinux is disabled. ostree today doesn't work for this, but it should.

Basically, we shouldn't care about the host state, only the target. If the target system has selinux labels, we should write them. However, we have to battle libselinux which looks at /sys/fs/selinux etc. Our own sepolicy class also dispatches on that.

Now, when we're operating on a host system that does have selinux enabled, I think it's better to use setfscreatecon() where we can to ensure atomicity of the security labels. But if not...I think the patches will look something like this:

--- a/src/libostree/ostree-repo-checkout.c
+++ b/src/libostree/ostree-repo-checkout.c
@@ -210,7 +210,7 @@ create_file_copy_from_input_at (OstreeRepo     *repo,
   g_autoptr(GVariant) modified_xattrs = NULL;
 
   /* If we're doing SELinux labeling, prepare it */
-  if (sepolicy_enabled)
+  if (sepolicy_enabled && options->sepolicy->host_enabled())
     {
       /* If doing sepolicy path-based labeling, we don't want to set the
        * security.selinux attr via the generic xattr paths in either the symlink

Basically, if the host doesn't have selinux enabled, we just write the security.selinux xattr the same as all other xattrs (which works fine with selinux disabled on the host).

[cgwalters]

Though note that composefs will partially obviate this because the selinux labels for the content objects appear in the will be part of the erofs, not the backing filesystem. However, we still need to care about labeling for everything else - it's not going to really work to leave e.g. /ostree/repo unlabeled.

Ultimately...SELinux kind of breaks the core ostree design of having a data storage independent of the OS - the label for /ostree may in theory vary per operating system.

One thing that would probably help break this deadlock is to add support for "initialize-and-deploy" as a single transactional step, like:

$ ostree container image deploy --initialize-sysroot /sysroot ...

Unlike --sysroot this would require that the target root be empty, and we'd do basically:

$ ostree admin init-fs --sysroot /sysroot
$ ostree admin init-stateroot --sysroot /sysroot $stateroot
<deploy container image>

Then we fetch the policy from the target image, and then go back and relabel all the files/directories used up till that point.

In the case where the system setting up the deployment root is the same as the target (which ideally we do in general), then we could also break this deadlock by having a build-time "default" label (root_t e.g.) and we support e.g. ostree admin init-fs --sysroot /sysroot --selinux that would force on SELinux labeling using that default label.

Hmm, and we probably want something like env OSTREE_SYSROOT_OPTS=force-selinux or so? Or maybe it should actually be an option in the repo.

[cgwalters]

Some more on this in e.g. containers/bootc#397 - we have a warning test there and it reveals tons of missing things for this:

• repo object directories ostree/repo/objects/a1
• All repository metadata objects .dirtree, .dirmeta, .commit etc.
• Everything in ostree/repo/refs
• Everything under ostree/deploy
• Very ironically, the ostree/deploy/default/var/.ostree-selabeled file