Description of problem: According to the buildah-run man page, the --volume option supports the 'z' (shared) and 'Z' (private) options that set the SELinux context on the volume. The "docker run" command has similar options. However, in practice, these options don't work (or aren't implemented). Version-Release number of selected component (if applicable): buildah-1.0-1.git1ab80bc.fc28.x86_64 How reproducible: 100% Steps to Reproduce: 1. Make sure selinux is enabled and in enforcing mode: # sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: actual (secure) Max kernel policy version: 31 2. Create a container (any container) 3. Create a directory to mount down into the container # mkdir /tmp/hostdir 4. Try to use the buildah run --volume option to mount the directory read-write: # buildah run --volume /tmp/hostdir:/tmp/targetdir:rw sourceware.org/e5f82c665e5c430fbd31675dbfbb81aa -- mkdir -p /tmp/targetdir/bar mkdir: cannot create directory '/tmp/targetdir/bar': Permission denied At this point a selinux AVC denial will occur. But, that is to be expected since we didn't use the 'z' or 'Z' option. Let's check the context of the directory: # buildah run --volume /tmp/hostdir:/tmp/targetdir:rw sourceware.org/e5f82c665e5c430fbd31675dbfbb81aa -- ls -Zd /tmp/targetdir/ drwxrwxr-x. 5183 5184 unconfined_u:object_r:user_tmp_t:s0 /tmp/targetdir/ That isn't correct, but once again to be expected. 5. Try the 'z' option: # buildah run --volume /tmp/hostdir:/tmp/targetdir:rw,z sourceware.org/e5f82c665e5c430fbd31675dbfbb81aa -- mkdir -p /tmp/targetdir/bar mkdir: cannot create directory '/tmp/targetdir/bar': Permission denied Another selinux AVC denial will occur. Let's check the context: # buildah run --volume /tmp/hostdir:/tmp/targetdir:rw,z sourceware.org/e5f82c665e5c430fbd31675dbfbb81aa -- ls -Zd /tmp/targetdir/ drwxrwxr-x. 5183 5184 unconfined_u:object_r:user_tmp_t:s0 /tmp/targetdir/ Notice the context is exactly the same as without using the 'z' option, so the 'z' option didn't do anything. 6. Try the 'Z' option: # buildah run --volume /tmp/hostdir:/tmp/targetdir:rw,Z sourceware.org/e5f82c665e5c430fbd31675dbfbb81aa -- mkdir -p /tmp/targetdir/bar mkdir: cannot create directory '/tmp/targetdir/bar': Permission denied Another selinux AVC denial will occur. Let's check the context: # buildah run --volume /tmp/hostdir:/tmp/targetdir:rw,Z sourceware.org/e5f82c665e5c430fbd31675dbfbb81aa -- ls -Zd /tmp/targetdir/ drwxrwxr-x. 5183 5184 unconfined_u:object_r:user_tmp_t:s0 /tmp/targetdir/ Once again the context of the directory hasn't changed. Actual results: See above. Expected results: The context of the volume would be set correctly. Additional info: Note that the equivalent "docker run" command does set the context correctly. I pulled down the upstream buildah source down and took a look. If I'm not mistaken, the support for actually setting the context should be in the file vendor/github.com/opencontainers/selinux/go-selinux/label/label.go, function Relabel - but that function just returns (like the rest of that file). This functionality should be implemented - or at least the functionality could be marked as not yet implemented in the documentation to avoid confusion.
The bug here is that the buildah run command has --volume flag. I am opening a PR to remove this. buildah from --volume /tmp/hostdir:/tmp/targetdir:rw,z IMAGE Should be where the volume is created not in the buildah run command. If you do it on the from line, then everything should work correctly.
Yes, using "build from --volume" works correctly. Be sure to remove the "buildah run --volume" option itself and its documentation. Thanks for the help.
buildah-1.2-1.gitbe87762.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-d9a8457274
buildah-1.2-1.gitbe87762.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-0eb77f53f4
buildah-1.2-1.gitbe87762.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-0eb77f53f4
buildah-1.2-1.gitbe87762.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-d9a8457274
buildah-1.2-1.gitbe87762.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.
buildah-1.2-1.gitbe87762.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.