generator: Add bootc-early-overlay-relabel for transient overlay SELinux fix

Transient overlays (/) inherit tmpfs_t from the upper dir's tmpfs via
fs_use_trans at SELinux policy-load time. Add a generator-emitted oneshot
unit, bootc-early-overlay-relabel.service, that runs
'bootc internals relabel-overlay-mountpoints' before sysinit.target to
restore the correct label on each writable overlayfs mount point.

Two detection paths, both needed because the generator runs before
local-fs.target:

- Root writability: inspect the mount source for the
  "transient:composefs=" prefix to detect a transient root overlay.

- Subdir mounts (/etc): bootc-root-setup.service mounts these after the
  generator, so we read setup-root-conf.toml directly from the booted
  image to know whether /etc will be a transient overlay.

The detection block runs before the OSTREE_BOOTED guard: native composefs
boots do not write /run/ostree-booted, but still need the relabel unit.

relabel_overlay_mountpoints() checks both OVERLAYFS_SUPER_MAGIC and
!RDONLY to distinguish writable transient overlays from the read-only
composefs root (both are overlayfs, only the former needs relabelling).

Assisted-by: OpenCode (claude-sonnet-4-6@default)
Signed-off-by: Colin Walters <walters@verbum.org>

Author: cgwalters

Cargo.lock

@@ -14,6 +14,7 @@ rustix.workspace = true
 serde = { workspace = true, features = ["derive"] }
 composefs-ctl.workspace = true
 toml.workspace = true
+tracing.workspace = true
 fn-error-context.workspace = true
 bootc-kernel-cmdline =  { path = "../kernel_cmdline", version = "0.0.0" }
 

crates/initramfs/Cargo.toml

@@ -119,6 +119,39 @@ struct Config {
     root: RootConfig,
 }
 
+/// Default path to the setup-root configuration file, relative to the booted root.
+pub const SETUP_ROOT_CONF_PATH: &str = "/usr/lib/composefs/setup-root-conf.toml";
+
+/// Returns `true` if the configuration at `path` requests a transient `/etc`
+/// overlay.  Used by the systemd generator to decide whether to emit the
+/// SELinux relabel unit *before* those mounts exist (the generator runs before
+/// `local-fs.target`).
+///
+/// Returns `false` if the file is absent or unreadable (safe default: no unit
+/// emitted for non-transient systems).
+pub fn config_has_transient_submounts(path: &std::path::Path) -> bool {
+    let text = match std::fs::read_to_string(path) {
+        Ok(t) => t,
+        Err(e) => {
+            tracing::debug!("Could not read {}: {e:#}", path.display());
+            return false;
+        }
+    };
+    let config: Config = match toml::from_str(&text) {
+        Ok(c) => c,
+        Err(e) => {
+            tracing::debug!("Could not parse {}: {e:#}", path.display());
+            return false;
+        }
+    };
+    // Only /etc overlay triggers the relabel unit.
+    let is_transient = |mc: &MountConfig| match mc.mount {
+        Some(mt) => mt == MountType::Transient,
+        None => mc.transient,
+    };
+    is_transient(&config.etc)
+}
+
 /// Command-line arguments
 #[derive(Parser, Debug)]
 pub struct Args {

crates/initramfs/src/lib.rs

@@ -649,6 +649,9 @@ pub(crate) enum InternalsOpts {
         /// Relabel this path
         path: Utf8PathBuf,
     },
+    /// Relabel the overlay mount point inodes after SELinux policy load.
+    /// Called by the generated bootc-early-overlay-relabel unit.
+    RelabelOverlayMountpoints,
     /// Proxy frontend for the `ostree-ext` CLI.
     OstreeExt {
         #[clap(allow_hyphen_values = true)]
@@ -2112,6 +2115,9 @@ async fn run_from_opt(opt: Opt) -> Result<()> {
                 crate::lsm::relabel_recurse(root, path, as_path.as_deref(), sepolicy)?;
                 Ok(())
             }
+            InternalsOpts::RelabelOverlayMountpoints => {
+                crate::generator::relabel_overlay_mountpoints()
+            }
             InternalsOpts::BootcInstallCompletion { sysroot, stateroot } => {
                 let rootfs = &Dir::open_ambient_dir("/", cap_std::ambient_authority())?;
                 crate::install::completion::run_from_ostree(rootfs, &sysroot, &stateroot).await

crates/lib/src/cli.rs

@@ -1,11 +1,12 @@
 use std::io::BufRead;
 
 use anyhow::{Context, Result};
-use camino::Utf8PathBuf;
+use camino::{Utf8Path, Utf8PathBuf};
 use cap_std::fs::Dir;
 use cap_std_ext::{cap_std, dirext::CapStdExtDirExt};
 use fn_error_context::context;
 use ostree_ext::container_utils::{OSTREE_BOOTED, is_ostree_booted_in};
+use ostree_ext::{gio, ostree};
 use rustix::{fd::AsFd, fs::StatVfsMountFlags};
 
 use crate::install::DESTRUCTIVE_CLEANUP;
@@ -17,6 +18,8 @@ const MULTI_USER_TARGET: &str = "multi-user.target";
 const EDIT_UNIT: &str = "bootc-fstab-edit.service";
 const FSTAB_ANACONDA_STAMP: &str = "Created by anaconda";
 pub(crate) const BOOTC_EDITED_STAMP: &str = "Updated by bootc-fstab-edit.service";
+const TRANSIENT_RELABEL_UNIT: &str = "bootc-early-overlay-relabel.service";
+const SYSINIT_TARGET: &str = "sysinit.target";
 
 /// Called when the root is read-only composefs to reconcile /etc/fstab
 #[context("bootc generator")]
@@ -86,7 +89,53 @@ pub(crate) fn unit_enablement_impl(sysroot: &Dir, unit_dir: &Dir) -> Result<()>
 
 /// Main entrypoint for the generator
 pub(crate) fn generator(root: &Dir, unit_dir: &Dir) -> Result<()> {
-    // Only run on ostree systems
+    // === Relabel unit: runs for ALL composefs boots (native or ostree) ===
+    // Must be before the ostree-booted guard because native composefs boots do
+    // not write /run/ostree-booted, but still need the relabel unit when any
+    // transient overlay is active.
+    //
+    // Gate on the root being overlayfs (composefs always mounts an overlay, so
+    // this excludes non-composefs systems without needing the ostree-booted marker).
+    //
+    // Two triggering conditions, detected independently:
+    //
+    // 1. Transient root: the initramfs sets the overlay source to
+    //    "transient:composefs=<digest>" in /proc/self/mountinfo.  Detect via
+    //    inspect_filesystem() rather than fstatvfs() because the `ro` kernel
+    //    cmdline flag can make an otherwise-writable overlay appear read-only
+    //    at generator time.
+    //
+    // 2. Transient /etc: this is mounted by bootc-root-setup.service
+    //    which runs *after* the generator, so fstatvfs would see the read-only
+    //    composefs at generator time.  Read setup-root-conf.toml directly from
+    //    the booted image instead.
+    {
+        let st = rustix::fs::fstatfs(root.as_fd())?;
+        if st.f_type == libc::OVERLAYFS_SUPER_MAGIC {
+            let root_is_transient =
+                match bootc_mount::inspect_filesystem(camino::Utf8Path::new("/")) {
+                    Ok(fs) => fs.source.starts_with("transient:composefs="),
+                    Err(e) => {
+                        tracing::debug!("Could not inspect root filesystem: {e:#}");
+                        false
+                    }
+                };
+            let submounts_are_transient = bootc_initramfs_setup::config_has_transient_submounts(
+                std::path::Path::new(bootc_initramfs_setup::SETUP_ROOT_CONF_PATH),
+            );
+            if root_is_transient || submounts_are_transient {
+                tracing::debug!(
+                    root_is_transient,
+                    submounts_are_transient,
+                    "Transient overlay detected; generating relabel unit"
+                );
+                generate_transient_overlay_relabel(unit_dir)?;
+            }
+        }
+    }
+
+    // === Ostree-specific generator logic ===
+    // Only run on ostree systems (native composefs boots skip below).
     if !root.try_exists(OSTREE_BOOTED)? {
         return Ok(());
     }
@@ -97,15 +146,17 @@ pub(crate) fn generator(root: &Dir, unit_dir: &Dir) -> Result<()> {
 
     unit_enablement_impl(sysroot, unit_dir)?;
 
-    // Also only run if the root is a read-only overlayfs (a composefs really)
+    // Only run for overlayfs roots (composefs mounts an overlay, regular or transient).
     let st = rustix::fs::fstatfs(root.as_fd())?;
     if st.f_type != libc::OVERLAYFS_SUPER_MAGIC {
         tracing::trace!("Root is not overlayfs");
         return Ok(());
     }
+
+    // The fstab editor only applies to read-only composefs roots (not transient).
     let st = rustix::fs::fstatvfs(root.as_fd())?;
     if !st.f_flag.contains(StatVfsMountFlags::RDONLY) {
-        tracing::trace!("Root is writable");
+        tracing::trace!("Root is writable, skipping fstab generator");
         return Ok(());
     }
 
@@ -137,6 +188,58 @@ ExecStart=bootc internals fixup-etc-fstab\n\
     Ok(())
 }
 
+/// Generate a oneshot service that relabels the transient overlay inode
+/// after SELinux policy loads, fixing the tmpfs_t label SELinux assigns to
+/// overlay upper-dir inodes at policy-load time.
+fn generate_transient_overlay_relabel(unit_dir: &Dir) -> Result<()> {
+    unit_dir.atomic_write(
+        TRANSIENT_RELABEL_UNIT,
+        include_str!("units/bootc-early-overlay-relabel.service"),
+    )?;
+    let wants = format!("{SYSINIT_TARGET}.wants");
+    unit_dir.create_dir_all(&wants)?;
+    unit_dir.symlink(
+        &format!("../{TRANSIENT_RELABEL_UNIT}"),
+        &format!("{wants}/{TRANSIENT_RELABEL_UNIT}"),
+    )?;
+    Ok(())
+}
+
+/// Relabel transient overlay mount point inodes using the running SELinux policy.
+/// Called by the generated bootc-early-overlay-relabel.service oneshot to fix
+/// the tmpfs_t label that fs_use_trans assigns to overlay upper-dir inodes at
+/// policy-load time.  Each of /, /etc, /var is relabelled iff it is a writable
+/// overlayfs (i.e. a transient overlay, not the read-only composefs).
+pub(crate) fn relabel_overlay_mountpoints() -> Result<()> {
+    let policy = ostree::SePolicy::new(&gio::File::for_path("/"), gio::Cancellable::NONE)
+        .context("Loading SELinux policy")?;
+    for path in ["/", "/etc", "/var"] {
+        let dir = Dir::open_ambient_dir(path, cap_std::ambient_authority())
+            .with_context(|| format!("Opening {path}"))?;
+        let st = rustix::fs::fstatfs(dir.as_fd())?;
+        if st.f_type != libc::OVERLAYFS_SUPER_MAGIC {
+            tracing::trace!("{path} is not an overlayfs mount, skipping relabel");
+            continue;
+        }
+        let stv = rustix::fs::fstatvfs(dir.as_fd())?;
+        if stv.f_flag.contains(StatVfsMountFlags::RDONLY) {
+            tracing::trace!("{path} is a read-only overlayfs (composefs), skipping relabel");
+            continue;
+        }
+        let metadata = dir.metadata(".").with_context(|| format!("stat {path}"))?;
+        crate::lsm::relabel(
+            &dir,
+            &metadata,
+            Utf8Path::new("."),
+            Some(Utf8Path::new(path)),
+            &policy,
+        )
+        .with_context(|| format!("Relabelling {path}"))?;
+        tracing::debug!("Relabelled {path}");
+    }
+    Ok(())
+}
+
 #[cfg(test)]
 mod tests {
     use camino::Utf8Path;
@@ -241,6 +344,51 @@ mod tests {
             Ok(())
         }
 
+        #[test]
+        fn test_transient_overlay_relabel_generated() -> Result<()> {
+            let tempdir = fixture()?;
+            let unit_dir = &tempdir.open_dir("run/systemd/system")?;
+
+            // We can't fake fstatfs or findmnt, so call generate_transient_overlay_relabel directly.
+            generate_transient_overlay_relabel(unit_dir)?;
+
+            // The unit file must exist
+            assert!(unit_dir.try_exists(TRANSIENT_RELABEL_UNIT)?);
+            // The symlink in sysinit.target.wants must point at the generated unit
+            let wants = format!("{SYSINIT_TARGET}.wants");
+            let link = unit_dir.read_link_contents(format!("{wants}/{TRANSIENT_RELABEL_UNIT}"))?;
+            let link: camino::Utf8PathBuf = link.try_into().unwrap();
+            assert_eq!(link, format!("../{TRANSIENT_RELABEL_UNIT}"));
+            // The unit must invoke bootc internals relabel-overlay-mountpoints
+            let content = unit_dir.read_to_string(TRANSIENT_RELABEL_UNIT)?;
+            assert!(
+                content.contains("ExecStart=bootc internals relabel-overlay-mountpoints"),
+                "unexpected unit content: {content}"
+            );
+
+            Ok(())
+        }
+
+        #[test]
+        fn test_transient_overlay_relabel_idempotent() -> Result<()> {
+            let tempdir = fixture()?;
+            let unit_dir = &tempdir.open_dir("run/systemd/system")?;
+
+            // Calling generate_transient_overlay_relabel twice must succeed
+            generate_transient_overlay_relabel(unit_dir)?;
+            // Second call: atomic_write overwrites the unit file; symlink already exists
+            // (symlink won't be re-created because the dir already contains it).
+            // The test just checks the call doesn't error.
+            // We need to remove the old symlink first (same as how enable_unit does it).
+            let wants = format!("{SYSINIT_TARGET}.wants");
+            unit_dir.remove_file_optional(format!("{wants}/{TRANSIENT_RELABEL_UNIT}"))?;
+            generate_transient_overlay_relabel(unit_dir)?;
+
+            assert!(unit_dir.try_exists(TRANSIENT_RELABEL_UNIT)?);
+
+            Ok(())
+        }
+
         #[test]
         fn test_generator_fstab_idempotent() -> Result<()> {
             let anaconda_fstab = indoc::indoc! { "

crates/lib/src/generator.rs

@@ -0,0 +1,12 @@
+[Unit]
+Description=Fix SELinux labels on transient overlay mount points
+Documentation=man:bootc(1)
+DefaultDependencies=no
+ConditionSecurity=selinux
+After=local-fs.target
+Before=sysinit.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=bootc internals relabel-overlay-mountpoints