build-chunked-oci of ostree-based images cause some changes

[alexlarsson]

Describe the bug

When I have a bootc image created by rpm-ostree, but with some layered files, and I run uild-chunked-oci on it I get some changes to the resulting ostree commit compared to the base commit, even if they were not changed in the layering.

Here are some example differences:

-d00755 0 0      0 { [(b'security.selinux', b'system_u:object_r:root_t:s0')] } /
+d00555 0 0      0 { [(b'security.selinux', b'system_u:object_r:root_t:s0')] } /

-d00555 0 0      0 { [(b'security.selinux', b'system_u:object_r:bin_t:s0')] } /usr/bin
+d00755 0 0      0 { [(b'security.selinux', b'system_u:object_r:bin_t:s0')] } /usr/bin

-d00555 0 0      0 { [(b'security.selinux', b'system_u:object_r:cert_t:s0')] } /usr/etc/pki/ca-trust/extracted/pem/directory-hash
+d00755 0 0      0 { [(b'security.selinux', b'system_u:object_r:cert_t:s0')] } /usr/etc/pki/ca-trust/extracted/pem/directory-hash

-d00755 0 35      0 { [(b'security.selinux', b'system_u:object_r:bin_t:s0')] } /usr/libexec/utempter
+d00755 0 0      0 { [(b'security.selinux', b'system_u:object_r:bin_t:s0')] } /usr/libexec/utempter

+d01777 0 0      0 { [(b'security.selinux', b'system_u:object_r:tmp_t:s0')] } /var/tmp

I can understand where the rootfs permission change comes from, because we create that ourself. However, the directory permission changes are a bit weird. The actual directories deployed in the initial container image differs from those of the embedded ostree commit. Are we canonicalizing these when we deploy in the image?

Also, it is unclear why /usr/libexec/utempter changed group from utmp to root.

For /var/tmp, i guess it was created in the container image after deploying the ostree commit.

Reproduction steps

Run:

$ sudo rpm-ostree experimental compose build-chunked-oci --bootc --output containers-storage:test --from quay.io/centos-bootc/centos-bootc:stream9
$ sudo podman run -ti quay.io/centos-bootc/centos-bootc:stream9 ostree ls -d "" /usr/etc/nftables /usr/libexec/utempter
d00700 0 0      0 /usr/etc/nftables
d00755 0 35      0 /usr/libexec/utempter
$ sudo podman run -ti test:latest ostree ls -d "" /usr/etc/nftables /usr/libexec/utempter
d00755 0 0      0 /usr/etc/nftables
d00755 0 0      0 /usr/libexec/utempter

Expected behavior

nftables should have the original permissions
utempter should have the original group ownership.

Actual behavior

The permissions/group differ.

System details

$ rpm-ostree --version
rpm-ostree:
Version: '2025.11'
Git: v2025.11-9-g5a83628283ebefe554d83aa50d0bdd24f3d84864
Features:

• rust
• compose
• container
• fedora-integration

Additional information

No response