SELinux labels in batch changes
Created by: martin-sucha
On Fedora 34 I get an error like the following (with src-cli 3.30.0):
run: echo Hello World | tee -a $(find -name README.md)
container: alpine:3
standard error:
/bin/sh: can't open '/tmp/tmp.IbdkiA': Permission denied
when running the hello world batch change. SELinux blocks the Docker bind mount.
src-cli uses Docker arguments like --mount type=bind,source=/tmp/205206724,target=/tmp/tmp.MLPLgP,ro
for mounting. If I replace them with /tmp/205206724:/tmp/tmp.MLPLgP:ro,Z
then the mount succeeds. I have replaced those occurrences in my local copy of src-cli and now it works.
However, we need to be careful with using the Z
option as it modifies the SELinux labels on the host, see https://docs.docker.com/storage/bind-mounts/#configure-the-selinux-label
If all the files that src-cli mounts are temporary files then it should probably be okay to use it.
I have not tried to run rootless docker yet, so I don't know if that would fix the issue.
In any case even if it is decided not add the Z flag to src-cli, the error message could be better.
What do you think about it?