restorecon doesn't work in ostree native container builds

[solopasha]

Host system details

State: idle
Deployments:
● ostree-unverified-image:containers-storage:localhost/swtpm-test
                   Digest: sha256:142d1951e54e6cdb10cfe7f385d1be569772f8928b73ac5708625ed87e37d553
                  Version: 38.20230724.0 (2023-07-24T13:18:51Z)
          LayeredPackages: langpacks-en
 
  fedora:fedora/38/x86_64/silverblue
                  Version: 38.20230724.0 (2023-07-24T00:47:54Z)
               BaseCommit: 536e6f48f3b1ce98b250ec8247e6d8947dd256e8d8fc738092f8b313114787f2
             GPGSignature: Valid signature by 6A51BBABBA3D5467B6171221809A8D7CEB10B464
          LayeredPackages: langpacks-en

Expected vs actual behavior

Actual:

swtpm gets an incorrect SELinux label when layered in a container build preventing VMs with an emulated tpm from starting.

ls -Z /usr/bin/swtpm
system_u:object_r:bin_t:s0 /usr/bin/swtpm

Expected:

ls -Z /usr/bin/swtpm 
system_u:object_r:swtpm_exec_t:s0 /usr/bin/swtpm

Steps to reproduce it

1. Containerfile:

FROM quay.io/fedora-ostree-desktops/base:38
RUN rpm-ostree install swtpm && \
    ostree container commit

2. podman build -t swtpm-test .
3. rpm-ostree rebase ostree-unverified-image:containers-storage:localhost/swtpm-test
4. boot into the deployment
5. ls -Z /usr/bin/swtpm

Would you like to work on the issue?

No, sorry.

[jpeeler]

Probably related to ostreedev/ostree-rs-ext#510.

[cgwalters]

Yeah, this is a duplicate of that issue.