install: Label composefs objects as /usr for SELinux

The composefs object store currently has no matching SELinux policy
for its storage path, so its contents end up labeled as default_t
which causes AVC denials at runtime. Explicitly label the composefs
directory tree as /usr (giving objects usr_t) after the composefs
install completes.

Future work should increase the granularity of SELinux behavior here,
ideally adding composefs-specific types and policy instead of re-using
usr_t.

Closes: #1826
Assisted-by: OpenCode (claude-opus-4-6)
Signed-off-by: John Eckersberg <jeckersb@redhat.com>

Author: jeckersb

crates/lib/src/install.rs

@@ -1967,6 +1967,19 @@ async fn install_to_filesystem_impl(
             state.composefs_options.allow_missing_verity,
         )
         .await?;
+
+        // Label composefs objects as /usr so they get usr_t rather than
+        // default_t (which has no policy match).
+        if let Some(policy) = state.load_policy()? {
+            tracing::info!("Labeling composefs objects as /usr");
+            crate::lsm::relabel_recurse(
+                &rootfs.physical_root,
+                "composefs",
+                Some("/usr".into()),
+                &policy,
+            )
+            .context("SELinux labeling of composefs objects")?;
+        }
     } else {
         ostree_install(state, rootfs, cleanup).await?;
     }