prepare.sh: label osbuild,setfiles "correctly" in the container

prepare.sh

@@ -3,8 +3,7 @@
 set -euo pipefail
 
 # Create a new tmpfs. This solves two issues for us:
-# - / is mounted as nosuid, this prevents SELinux to transition to `install_t` because domain transitions are
-#   disallowed if they give more caps to the process and the target executable is on `nosuid` filesystem
+# - / can be mounted as overlayfs with all files being `system_u:object_r:container_files_t`
 # - / can be mounted as OverlayFS that doesn't support overlaying SELinux labels. Thus, we need to ensure that
 #  the relabeling happens on a mountpoint that's definitely not an OverlayFS.
 TMP=/run/suidtmp
@@ -16,15 +15,16 @@ mount -t tmpfs tmpfs "${TMP}"
 
 # Copy osbuild to the new mountpoint.
 cp /usr/bin/osbuild "${TMP}/osbuild"
+# Also copy setfiles
+cp /usr/sbin/setfiles "${TMP}/setfiles"
 
-# Label it as `install_exec_t`. We need this in order to get `install_t` that has `CAP_MAC_ADMIN` for creating SELinux
-# labels unknown to the host.
-#
-# Note that the transition to `install_t` must happen at this point. Osbuild stages run in `bwrap` that creates
-# a nosuid, no_new_privs environment. In such an environment, we cannot transition from `unconfined_t` to `install_t`,
-# because we would get more privileges.
-chcon system_u:object_r:install_exec_t:s0 "${TMP}/osbuild"
+# All labels inside the container are "wrong" but the only two we care
+# about are "osbuild" and "setfiles" so label them "correctly" (as
+# they are labeled on a real system).
+chcon system_u:object_r:osbuild_exec_t:s0 "${TMP}/osbuild"
+chcon system_u:object_r:setfiles_exec_t:s0 "${TMP}/setfiles"
 
 # "Copy" back the relabeled osbuild to its right place. We obviously cannot copy it, so let's bind-mount it instead.
 # Once again, we don't care about clean-up, this is MS_SHARED.
 mount -o bind "${TMP}/osbuild" /usr/bin/osbuild
+mount -o bind "${TMP}/setfiles" /usr/bin/setfiles