From b6eedb6fb194ec32b92866257131714e02bae741 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric=20Jeanneret?= Date: Wed, 18 Jan 2023 16:26:01 +0100 Subject: [PATCH] Ensure update_yum.sh has correct SELinux labels On recent, enforcing systems, the update_yum.sh can't be executed, because SELinux prevents container_t to open user_tmp_t: type=AVC msg=audit(1674049913.380:22858): avc: denied { open } for pid=70472 comm="bash" path="/tmp/yum_update.sh" dev="vda4" ino=218200014 scontext=system_u:system_r:container_t:s0:c65,c705 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file permissive=0 This patch ensures it gets properly relabelled when bind-mounted during the image build. Using the "z" will also ensure it's still usable even when running multiple builds at the same time. Change-Id: I4085865965f48c9fa6a88cde7010a51cd8c653d8 --- tasks/yum_update_buildah.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/yum_update_buildah.yml b/tasks/yum_update_buildah.yml index cbfd058..5c8e127 100644 --- a/tasks/yum_update_buildah.yml +++ b/tasks/yum_update_buildah.yml @@ -106,7 +106,7 @@ - name: Run yum_update.sh command: > buildah run - --volume {{ yum_update.path }}:/tmp/yum_update.sh + --volume {{ yum_update.path }}:/tmp/yum_update.sh:z --volume {{ yum_repos_dir_path }}:/etc/yum.repos.d {% if pkg_mgr_vars_stat.stat.exists %} --volume /etc/{{ pkg_mgr_suffix }}/vars:/etc/{{ pkg_mgr_suffix }}/vars @@ -130,7 +130,7 @@ - name: Run yum_update.sh (retry without yum cache) command: > buildah --debug run - --volume {{ yum_update.path }}:/tmp/yum_update.sh + --volume {{ yum_update.path }}:/tmp/yum_update.sh:z --volume {{ yum_repos_dir_path }}:/etc/yum.repos.d {% if pkg_mgr_vars_stat.stat.exists %} --volume /etc/{{ pkg_mgr_suffix }}/vars:/etc/{{ pkg_mgr_suffix }}/vars