install: Only invoke chcon if SELinux enabled in the source

We shouldn't try to do any SELinux labeling if the source
doesn't have it.

xref containers#83

Signed-off-by: Colin Walters <walters@verbum.org>

lib/src/install.rs

@@ -185,6 +185,21 @@ pub(crate) struct State {
  pub(crate) install_config: config::InstallConfiguration,
 }
 
+impl State {
+ // Wraps core lsm labeling functionality, conditionalizing based on source state
+ pub(crate) fn lsm_label(
+ &self,
+ target: &Utf8Path,
+ as_path: &Utf8Path,
+ recurse: bool,
+ ) -> Result<()> {
+ if !self.source.selinux {
+ return Ok(());
+ }
+ crate::lsm::lsm_label(target, as_path, recurse)
+ }
+}
+
 /// Path to initially deployed version information
 const BOOTC_ALEPH_PATH: &str = ".bootc-aleph.json";
 
@@ -438,7 +453,7 @@ async fn initialize_ostree_root_from_self(
  .run()?;
 
  // Ensure everything in the ostree repo is labeled
- lsm_label(&rootfs.join("ostree"), "/usr".into(), true)?;
+ state.lsm_label(&rootfs.join("ostree"), "/usr".into(), true)?;
 
  let sysroot = ostree::Sysroot::new(Some(&gio::File::for_path(rootfs)));
  sysroot.load(cancellable)?;

lib/src/install/baseline.rs

@@ -346,15 +346,15 @@ pub(crate) fn install_create_rootfs(
  .collect::<Vec<_>>();
 
  mount::mount(&rootdev, &rootfs)?;
- lsm_label(&rootfs, "/".into(), false)?;
+ state.lsm_label(&rootfs, "/".into(), false)?;
  let rootfs_fd = Dir::open_ambient_dir(&rootfs, cap_std::ambient_authority())?;
  let bootfs = rootfs.join("boot");
  std::fs::create_dir(&bootfs).context("Creating /boot")?;
  // The underlying directory on the root should be labeled
- lsm_label(&bootfs, "/boot".into(), false)?;
+ state.lsm_label(&bootfs, "/boot".into(), false)?;
  mount::mount(bootdev, &bootfs)?;
  // And we want to label the root mount of /boot
- lsm_label(&bootfs, "/boot".into(), false)?;
+ state.lsm_label(&bootfs, "/boot".into(), false)?;
 
  // Create the EFI system partition, if applicable
  if let Some(espdev) = espdev {