[BUG] Installation of Safing Portmaster fails: chcon: failed to change context of '/opt/safing/portmaster/portmaster-start' to ‘system_u:object_r:bin_t:s0’: Operation not supported

[CheariX]

Describe the bug
When I try to install portmaster on Fedora Silverblue 36 with rpm-ostree install portmaster-installer.rpm., the operation fails in ostree's %post phase:

journalctl -t 'rpm-ostree(portmaster.post)'
> rpm-ostree(portmaster.post)[67337]: /proc/self/fd/5: line 30: [: : integer expression expected
> rpm-ostree(portmaster.post)[67337]: /proc/self/fd/5: line 36: [: : integer expression expected
> rpm-ostree(portmaster.post)[67337]: portmaster: Configuring portmaster.service to launch at boot
> rpm-ostree(portmaster.post)[67352]: rpm-ostree-systemctl: Ignored non-preset command: enable portmaster.service
> rpm-ostree(portmaster.post)[67353]: chcon: failed to change context of '/opt/safing/portmaster/portmaster-start' to ‘system_u:object_r:bin_t:s0’: Operation not supported

I'm not really sure what the issue is. Seems to be related to 1) SELinux, 2) OSTree, and 3) installation in /opt.
On Fedora Workstation 36, portmaster's installation works like charm.

To Reproduce
Please describe the steps needed to reproduce the bug:

1. Download https://updates.safing.io/latest/linux_amd64/packages/portmaster-installer.rpm
2. rpm-ostree install portmaster-installer.rpm

Expected behavior
Portmaster should be installed in /opt.

OS version:

% rpm-ostree status -b
● fedora:fedora/36/x86_64/silverblue
                   Version: 36.20220721.0 (2022-07-21T00:49:11Z)
                BaseCommit: 9ab93e030c5e6fdfc8b5340d32b3e2573c0a93d645e33a135c0889a83452b263
              GPGSignature: Valid signature by 53DED2CB922D8B8D9E63FD18999F7CBF38AB71F4
           LayeredPackages: akmod-nvidiaPlease replace this line with output of 

Additional context
Also reported in safing/portmaster#733

[travier]

As this package is not part of the Fedora repos and is using a custom package making tool (https://github.com/goreleaser/nfpm from https://github.com/safing/portmaster-packaging), you will have to extract the scripts from the RPM so that we can take a look.

[CheariX]

Thanks for pointing me to the packaging. At least, I do know now where to start investigating the issue but I'm not sure if I want to go down that road.

[travier]

You should be able to extract the scripts using the rpm command with some options and we could then try to figure out how much needs to change.

[travier]

The issue is discussed upstream and there are alternatives suggested there. I'm going to close this one as it's not strictly about Silverblue.