From c1d9510cb30960275a92a1b8d21fe1b879424336 Mon Sep 17 00:00:00 2001 From: Stefan Hajnoczi Date: Thu, 28 Mar 2019 13:52:08 +0000 Subject: [PATCH] rootfs-builder: SELinux relabel container volumes rootfs.sh fails on machines with SELinux in enforcing mode if the volumes aren't labelled. This patch labels volumes so the container is able to access them. In order to do this rootfs directory creation must be moved before the Docker container is started. Previously docker-run(1) would create the rootfs directory in the USE_DOCKER case. Signed-off-by: Stefan Hajnoczi Fixes: #266 --- rootfs-builder/rootfs.sh | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/rootfs-builder/rootfs.sh b/rootfs-builder/rootfs.sh index fe49302d27..cafd6841e1 100755 --- a/rootfs-builder/rootfs.sh +++ b/rootfs-builder/rootfs.sh @@ -305,6 +305,8 @@ if [ -z "$INSIDE_CONTAINER" ] ; then trap error_handler ERR fi +mkdir -p ${ROOTFS_DIR} + if [ -n "${USE_DOCKER}" ] ; then image_name="${distro}-rootfs-osbuilder" @@ -330,6 +332,17 @@ if [ -n "${USE_DOCKER}" ] ; then docker_run_args+=" $(docker_extra_args $distro)" + # Relabel volumes so SELinux allows access (see docker-run(1)) + if which selinuxenabled 2&>1 >/dev/null && selinuxenabled ; then + for volume_dir in "${script_dir}" \ + "${ROOTFS_DIR}" \ + "${script_dir}/../scripts" \ + "${kernel_mod_dir}" \ + "${GOPATH_LOCAL}"; do + chcon -Rt svirt_sandbox_file_t "$volume_dir" + done + fi + #Make sure we use a compatible runtime to build rootfs # In case Clear Containers Runtime is installed we dont want to hit issue: #https://github.com/clearcontainers/runtime/issues/828 @@ -359,7 +372,6 @@ if [ -n "${USE_DOCKER}" ] ; then exit $? fi -mkdir -p ${ROOTFS_DIR} build_rootfs ${ROOTFS_DIR} pushd "${ROOTFS_DIR}" >> /dev/null if [ "$PWD" != "/" ] ; then