overlay/15fcos: fix selinux labels in /boot and /sysroot

/boot/efi and /sysroot dir and subfiles are unlabeled_t since
40.20240504.3.0.
This is likely due to a missing step in the OSBuild pipeline as this
started with coreos/fedora-coreos-tracker#1653.

This should be removed after the next barrier release, if the newly
produced images are fixed.

See coreos/fedora-coreos-tracker#1771
And coreos/fedora-coreos-tracker#1772

overlay.d/15fcos/usr/lib/systemd/system-preset/45-fcos.preset

@@ -6,3 +6,7 @@ enable fwupd-refresh.timer
 # Check if wifi firmwares are missing when NetworkManager-wifi is installed
 # https://github.com/coreos/fedora-coreos-tracker/issues/1575
 enable coreos-check-wireless-firmwares.service
+# Fix incorrect SELinux labels in /boot and /sysroot
+# https://github.com/coreos/fedora-coreos-tracker/issues/1772
+# https://github.com/coreos/fedora-coreos-tracker/issues/1771
+enable coreos-fix-selinux-labels.service

overlay.d/15fcos/usr/lib/systemd/system/coreos-fix-selinux-labels.service

@@ -0,0 +1,18 @@
+# Remove after the next barrier release
+
+[Unit]
+Description=Fix incorrect selinux labels under /boot and /sysroot
+Documentation=https://github.com/coreos/fedora-coreos-tracker/issues/1771
+Documentation=https://github.com/coreos/fedora-coreos-tracker/issues/1772
+
+[Service]
+Type=oneshot
+#ExecStartPre=/usr/bin/mount -o remount,rw /boot
+#ExecStartPre=/usr/bin/mount -o remount,rw /sysroot
+#ExecStart=/usr/sbin/restorecon -R /boot
+ExecStart=/usr/libexec/coreos-fix-labels
+RemainAfterExit=yes
+MountFlags=slave
+
+[Install]
+WantedBy=multi-user.target

overlay.d/15fcos/usr/libexec/coreos-fix-labels

@@ -0,0 +1,11 @@
+#!/usr/bin/bash
+
+echo "Remounting /boot as rw"
+/usr/bin/mount -o remount,rw /boot
+
+echo "Restoring SELinux labels"
+/usr/sbin/restorecon -R /boot
+
+
+/usr/bin/mount -o remount,rw /sysroot
+/usr/bin/chcon -t root_t -R /sysroot