Bootable Containers: Incorrect SELinux labels for package layered with a SELinux module & missing xattrs

If you layer a package that comes with its own SELinux module (swtpm for example), then the binary will not have the correct SELinux label.

This is due to the fact that container layer builds can not set the SELinux labels during installation and thus for now ostree-rs-ext/rpm-ostree/bootc resets the label to the default one from the base image SELinux policy.

If a labeling config is included in a SELinux policy module installed as a layer then ostree-rs-ext/rpm-ostree/bootc does not take it into account.

The same applies for extended attributes (xattrs).

See:

• Upstream issues:
  • https://github.com/ostreedev/ostree-rs-ext/issues/510
  • https://github.com/ostreedev/ostree-rs-ext/issues/654
• Workaround:
  • https://github.com/ublue-os/bluefin/blob/main/system_files/dx/usr/lib/systemd/system/swtpm-workaround.service
  • https://github.com/ublue-os/bluefin/blob/main/system_files/dx/usr/lib/tmpfiles.d/swtpm-workaround.conf