TEST-06-SELINUX: Various fixes

- Stop installing the policy in the initramfs as it's not really
supported anyway (https://github.com/fedora-selinux/selinux-policy/issues/2221)
- Stop relabeling on first boot and prefer to do it at image build time
- Disable mkosi relabeling by default but enable it in CI
- Build image as root in CI so the SELinux relabeling works properly

1 files changed, 3 insertions, 10 deletions

diff --git a/mkosi.conf.d/10-centos-fedora/mkosi.conf.d/10-selinux.conf b/mkosi.conf.d/10-centos-fedora/mkosi.conf.d/10-selinux.conf
index 9fe5509695..0a388f3c08 100644
--- a/mkosi.conf.d/10-centos-fedora/mkosi.conf.d/10-selinux.conf
+++ b/mkosi.conf.d/10-centos-fedora/mkosi.conf.d/10-selinux.conf
@@ -1,20 +1,13 @@
 # SPDX-License-Identifier: LGPL-2.1-or-later
 
+# libselinux does not work in the slightest with /usr-only images so don't install the packages if we're
+# building a /usr-only image.
+
 [Match]
 Profile=!particle
 
 [Content]
-# libselinux does not work in the slightest with /usr-only images so don't install the packages if we're
-# building a /usr-only image.
 Packages=
         selinux-policy
         selinux-policy-targeted
         setools-console
-
-# We relabel on first boot instead of at build time because it is only possible to label without root
-# if the labels exist in the host system, and we want to be able to cross-build to other distributions.
-SELinuxRelabel=no
-
-InitrdPackages=
-        selinux-policy
-        selinux-policy-targeted