927966 – app-containers/podman-5.0.0 fails to build on SELinux

Bug 927966 - app-containers/podman-5.0.0 fails to build on SELinux

Summary: app-containers/podman-5.0.0 fails to build on SELinux

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Zac Medico

URL:
Whiteboard:
Keywords:	PullRequest

Duplicates (1):	927708 (view as bug list)
Depends on:
Blocks:

Reported:	2024-03-27 14:53 UTC by Kenton Groombridge
Modified:	2024-10-24 19:53 UTC (History)
CC List:	4 users (show)

See Also:	927311 https://github.com/gentoo/gentoo/pull/39098
Package list:
Runtime testing required:	---

Attachments
build.log (build.log.gz,443.16 KB, application/gzip) 2024-03-27 14:53 UTC, Kenton Groombridge	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Kenton Groombridge gentoo-dev

2024-03-27 14:53:29 UTC

Created attachment 888771 [details]
build.log

podman's Makefile makes an unfortunate assumption about the loaded SELinux policy and tries to relabel the podman binary with a type that doesn't exist in Gentoo's policy (container_runtime_exec_t vs. podman_exec_t).

It seems setting SELINUXOPT to an empty value successfully tricks the build system to skip its SELinux relabeling step, then Portage will take care of it like normal.

Comment 1 Kenton Groombridge gentoo-dev

2024-04-03 14:15:32 UTC

*** Bug 927708 has been marked as a duplicate of this bug. ***

Comment 2 Ed Santiago 2024-04-03 14:18:28 UTC

Since my (reported-first) bug was closed as a dup of this newer one, I'll re-add that this needs to be solved by packaging container-selinux[1] for Gentoo:

 [1] https://github.com/containers/container-selinux/

Comment 3 Kenton Groombridge gentoo-dev

2024-04-03 14:20:54 UTC

(In reply to Ed Santiago from comment #2)
> Since my (reported-first) bug was closed as a dup of this newer one, I'll
> re-add that this needs to be solved by packaging container-selinux[1] for
> Gentoo:
> 
>  [1] https://github.com/containers/container-selinux/

I closed your bug because the purported fix is incorrect. container-selinux is not compatible with Gentoo's SELinux policy. For podman specifically, we have sec-policy/selinux-podman which contains the correct type podman_exec_t.

You can workaround this for now by setting SELINUXOPT to an empty value when building podman, e.g.: SELINUXOPT= emerge podman

Comment 4 Larry the Git Cow gentoo-dev

2024-10-24 19:53:02 UTC

The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=932b12cd4319a206933e1f548d0913ecbc1e8b91

commit 932b12cd4319a206933e1f548d0913ecbc1e8b91
Author:     Kenton Groombridge <concord@gentoo.org>
AuthorDate: 2024-10-24 15:11:00 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2024-10-24 19:51:28 +0000

    app-containers/podman: fix SELinux relabeling
    
    The Makefile relabels the podman executable during installation and
    defaults to using container_runtime_exec_t which does not exist in
    Gentoo's SELinux policies. Disable the automatic relabeling during
    install and let portage take care of it to avoid this error.
    
    Closes: https://bugs.gentoo.org/927966
    Signed-off-by: Kenton Groombridge <concord@gentoo.org>
    From: https://github.com/gentoo/gentoo/pull/39098
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 app-containers/podman/podman-4.9.4.ebuild | 2 +-
 app-containers/podman/podman-5.0.2.ebuild | 4 ++--
 app-containers/podman/podman-5.0.3.ebuild | 4 ++--
 app-containers/podman/podman-5.1.1.ebuild | 4 ++--
 app-containers/podman/podman-5.2.4.ebuild | 4 ++--
 app-containers/podman/podman-9999.ebuild  | 4 ++--
 6 files changed, 11 insertions(+), 11 deletions(-)