Ensure update_yum.sh has correct SELinux labels

On recent, enforcing systems, the update_yum.sh can't be executed, because SELinux prevents container_t to open user_tmp_t: type=AVC msg=audit(1674049913.380:22858): avc: denied { open } for pid=70472 comm="bash" path="/tmp/yum_update.sh" dev="vda4" ino=218200014 scontext=system_u:system_r:container_t:s0:c65,c705 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file permissive=0 This patch ensures it gets properly relabelled when bind-mounted during the image build. Using the "z" will also ensure it's still usable even when running multiple builds at the same time. Change-Id: I4085865965f48c9fa6a88cde7010a51cd8c653d8
2023-01-18 16:26:01 +01:00 · 2023-01-18 16:26:01 +01:00 · b6eedb6fb1
commit b6eedb6fb1
parent d023d54eb6
1 changed files with 2 additions and 2 deletions
--- a/tasks/yum_update_buildah.yml
+++ b/tasks/yum_update_buildah.yml
@ -106,7 +106,7 @@
    - name: Run yum_update.sh
      command: >
        buildah run
-          --volume {{ yum_update.path }}:/tmp/yum_update.sh
+          --volume {{ yum_update.path }}:/tmp/yum_update.sh:z
          --volume {{ yum_repos_dir_path }}:/etc/yum.repos.d
          {% if pkg_mgr_vars_stat.stat.exists %}
          --volume /etc/{{ pkg_mgr_suffix }}/vars:/etc/{{ pkg_mgr_suffix }}/vars
@ -130,7 +130,7 @@
    - name: Run yum_update.sh (retry without yum cache)
      command: >
        buildah --debug run
-          --volume {{ yum_update.path }}:/tmp/yum_update.sh
+          --volume {{ yum_update.path }}:/tmp/yum_update.sh:z
          --volume {{ yum_repos_dir_path }}:/etc/yum.repos.d
          {% if pkg_mgr_vars_stat.stat.exists %}
          --volume /etc/{{ pkg_mgr_suffix }}/vars:/etc/{{ pkg_mgr_suffix }}/vars