install: Skip immutable deployment checkouts in final SELinux relabeling

Ostree sets the immutable ext4 attribute on each deployment checkout
directory, which causes lsetfilecon() to return EPERM during the final
SELinux relabeling pass even though those files are already correctly
labeled by the earlier composefs import pass.

Rather than skipping the entire ostree/deploy subtree (which would leave
stateroot metadata and var directories unlabeled), enumerate the actual
checkout directories under ostree/deploy/<stateroot>/deploy/ and skip
only those immutable roots by dev/ino.

Also generalise ensure_dir_labeled_recurse to accept a slice of
(dev, ino) pairs to skip rather than a single Option, so multiple
checkout directories can be excluded in one pass.

Assisted-by: OpenCode (Claude Sonnet 4.6)
Signed-off-by: Colin Walters <walters@verbum.org>

Author: cgwalters

crates/lib/src/install.rs

@@ -1208,7 +1208,7 @@ async fn install_container(
                 &root_setup.physical_root,
                 &mut pathbuf,
                 policy,
-                Some(deployment_root_devino),
+                &[deployment_root_devino],
             )
             .with_context(|| format!("Recursive SELinux relabeling of {d}"))?;
         }
@@ -2093,7 +2093,34 @@ async fn install_to_filesystem_impl(
     if let Some(policy) = state.load_policy()? {
         tracing::info!("Performing final SELinux relabeling of physical root");
         let mut path = Utf8PathBuf::from("");
-        crate::lsm::ensure_dir_labeled_recurse(&rootfs.physical_root, &mut path, &policy, None)
+        // Ostree sets the immutable ext4 attribute on each deployment checkout
+        // directory, which causes lsetfilecon() to return EPERM.  Those dirs
+        // are already correctly labeled by the earlier composefs import pass,
+        // so skip each checkout by dev/ino.  We enumerate them directly rather
+        // than skipping the whole ostree/deploy subtree so that the stateroot
+        // and var directories (which are not immutable) still get labeled.
+        let mut skip: Vec<(libc::dev_t, libc::ino64_t)> = Vec::new();
+        let deploy_dir = "ostree/deploy";
+        if let Some(statered_dir) = rootfs.physical_root.open_dir_optional(deploy_dir)? {
+            for stateroot in statered_dir.entries()? {
+                let stateroot = stateroot?;
+                if !stateroot.file_type()?.is_dir() {
+                    continue;
+                }
+                let deploy_subdir = stateroot.open_dir()?.open_dir_optional("deploy")?;
+                if let Some(deploy_subdir) = deploy_subdir {
+                    for checkout in deploy_subdir.entries()? {
+                        let checkout = checkout?;
+                        if !checkout.file_type()?.is_dir() {
+                            continue;
+                        }
+                        let m = checkout.metadata()?;
+                        skip.push((m.dev() as libc::dev_t, m.ino() as libc::ino64_t));
+                    }
+                }
+            }
+        }
+        crate::lsm::ensure_dir_labeled_recurse(&rootfs.physical_root, &mut path, &policy, &skip)
             .context("Final SELinux relabeling of physical root")?;
     } else {
         tracing::debug!("Skipping final SELinux relabel (SELinux is disabled)");

crates/lib/src/lsm.rs

@@ -391,13 +391,13 @@ pub(crate) fn relabel_recurse(
 /// Uses the `walk` API with `noxdev` and `skip_mountpoints` to avoid crossing
 /// mount point boundaries
 /// (e.g. into sysfs, procfs, etc.).
-/// The provided `skip` parameter is a device/inode pair that we will ignore
-/// (and not traverse into).
+/// The provided `skip` parameter is a list of device/inode pairs to ignore
+/// (and not traverse into).  Pass an empty slice to skip nothing.
 pub(crate) fn ensure_dir_labeled_recurse(
     root: &Dir,
     path: &mut Utf8PathBuf,
     policy: &ostree::SePolicy,
-    skip: Option<(libc::dev_t, libc::ino64_t)>,
+    skip: &[(libc::dev_t, libc::ino64_t)],
 ) -> Result<()> {
     use cap_std_ext::dirext::WalkConfiguration;
     use std::ops::ControlFlow;
@@ -432,18 +432,17 @@ pub(crate) fn ensure_dir_labeled_recurse(
             let metadata = component.entry.metadata()?;
 
             // Check if this entry should be skipped
-            if let Some((skip_dev, skip_ino)) = skip {
-                if (metadata.dev(), metadata.ino()) == (skip_dev, skip_ino) {
-                    tracing::debug!("Skipping dev={skip_dev} inode={skip_ino}");
-                    // For directories, Break skips traversal into the directory
-                    // but continues with the next sibling. For non-directories,
-                    // Break would skip all remaining siblings, so use Continue
-                    // to skip only this entry.
-                    if component.file_type.is_dir() {
-                        return Ok(ControlFlow::Break(()));
-                    } else {
-                        return Ok(ControlFlow::Continue(()));
-                    }
+            let devino = (metadata.dev() as libc::dev_t, metadata.ino() as libc::ino64_t);
+            if skip.contains(&devino) {
+                tracing::debug!("Skipping dev={} inode={}", devino.0, devino.1);
+                // For directories, Break skips traversal into the directory
+                // but continues with the next sibling. For non-directories,
+                // Break would skip all remaining siblings, so use Continue
+                // to skip only this entry.
+                if component.file_type.is_dir() {
+                    return Ok(ControlFlow::Break(()));
+                } else {
+                    return Ok(ControlFlow::Continue(()));
                 }
             }