overlay/15fcos: fix selinux labels in /boot and /sysroot

[jbtrystram]

/boot/efi and /sysroot dir and subfiles are unlabeled_t since 40.20240504.3.0. This is likely due to a missing step in the OSBuild pipeline as this started with coreos/fedora-coreos-tracker#1653.

This should be removed after the next barrier release, if the newly produced images are fixed.

See coreos/fedora-coreos-tracker#1771 And coreos/fedora-coreos-tracker#1772

[travier]

See https://docs.fedoraproject.org/en-US/fedora-silverblue/troubleshooting/#_running_restorecon for why you should never run restorecon -R on /sysroot.

It's also part of the reasons that we made /sysroot RO by default on Atomic Desktops. There should be more links in the change page.

[dustymabe]

Probably going to need to make this more complex unfortunately: https://github.com/coreos/fedora-coreos-tracker/issues/1772#issuecomment-2338849028

[travier]

Let's focus on /boot first as that's what blocking bootupd. We can fix /sysroot afterwards.

[jbtrystram]

Here is what the root filesystem looks like after this script ran. For comparison, this is extracted from a good filesystem the only file i am curious about is /ostree/deploy/fedora-coreos/deploy/$COMMIT.0.origin

[dustymabe]

I've updated this PR to fix existing FCOS and RHCOS systems and to include the tests from https://github.com/coreos/fedora-coreos-config/pull/3172 (which I'll now close in favor of this PR for those tests).

[dustymabe]

I think I've tested this enough now that I'm comfortable with it merging if it passes review.

[jbtrystram]

I can't approved my own PR, but LGTM !

[dustymabe]

I'll leave this open for a few more hours for further reviews.