From 9a913243ffaf26e06f151c3c293b62e28ec549f1 Mon Sep 17 00:00:00 2001
From: Sasi Kumar Maddineni <sasikuma@qti.qualcomm.com>
Date: Thu, 27 Nov 2025 16:21:15 +0530
Subject: [PATCH] selinux-image: Preserve SELinux contexts in tarballs

Tarball images were created without SELinux context information,
causing loss of security labels during extraction while working with
features like:ostree. This breaks SELinux policy enforcement and requires
relabeling after deployment, adding runtime overhead.

Append "--selinux" to IMAGE_CMD_TAR to include SELinux file contexts
when generating tarball images. This ensures security labels are
preserved across image creation and deployment.

Signed-off-by: Sasi Kumar Maddineni <quic_sasikuma@quicinc.com>
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
 classes/selinux-image.bbclass | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/classes/selinux-image.bbclass b/classes/selinux-image.bbclass
index b4f9321..852db5f 100644
--- a/classes/selinux-image.bbclass
+++ b/classes/selinux-image.bbclass
@@ -26,4 +26,6 @@ python selinux_setlabels_handler() {
 addhandler selinux_setlabels_handler
 selinux_setlabels_handler[eventmask] = "bb.event.RecipePreFinalise"
 
+IMAGE_CMD_TAR:append = " --selinux"
+
 inherit core-image