Skip to content

SELinux labels in batch changes

Created by: martin-sucha

On Fedora 34 I get an error like the following (with src-cli 3.30.0):

   run: echo Hello World | tee -a $(find -name README.md)
   container: alpine:3
   
   standard error:
   	/bin/sh: can't open '/tmp/tmp.IbdkiA': Permission denied

when running the hello world batch change. SELinux blocks the Docker bind mount.

src-cli uses Docker arguments like --mount type=bind,source=/tmp/205206724,target=/tmp/tmp.MLPLgP,ro for mounting. If I replace them with /tmp/205206724:/tmp/tmp.MLPLgP:ro,Z then the mount succeeds. I have replaced those occurrences in my local copy of src-cli and now it works.

However, we need to be careful with using the Z option as it modifies the SELinux labels on the host, see https://docs.docker.com/storage/bind-mounts/#configure-the-selinux-label

If all the files that src-cli mounts are temporary files then it should probably be okay to use it.

I have not tried to run rootless docker yet, so I don't know if that would fix the issue.

In any case even if it is decided not add the Z flag to src-cli, the error message could be better.

What do you think about it?