| Summary: | app-containers/podman-5.0.0 fails to build on SELinux | ||
|---|---|---|---|
| Product: | Gentoo Linux | Reporter: | Kenton Groombridge <concord> |
| Component: | Current packages | Assignee: | Zac Medico <zmedico> |
| Status: | CONFIRMED --- | ||
| Severity: | normal | CC: | concord, gentoo, me, proxy-maint |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| See Also: | https://bugs.gentoo.org/show_bug.cgi?id=927311 | ||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
| Attachments: | build.log | ||
*** Bug 927708 has been marked as a duplicate of this bug. *** Since my (reported-first) bug was closed as a dup of this newer one, I'll re-add that this needs to be solved by packaging container-selinux[1] for Gentoo: [1] https://github.com/containers/container-selinux/ (In reply to Ed Santiago from comment #2) > Since my (reported-first) bug was closed as a dup of this newer one, I'll > re-add that this needs to be solved by packaging container-selinux[1] for > Gentoo: > > [1] https://github.com/containers/container-selinux/ I closed your bug because the purported fix is incorrect. container-selinux is not compatible with Gentoo's SELinux policy. For podman specifically, we have sec-policy/selinux-podman which contains the correct type podman_exec_t. You can workaround this for now by setting SELINUXOPT to an empty value when building podman, e.g.: SELINUXOPT= emerge podman |
Created attachment 888771 [details] build.log podman's Makefile makes an unfortunate assumption about the loaded SELinux policy and tries to relabel the podman binary with a type that doesn't exist in Gentoo's policy (container_runtime_exec_t vs. podman_exec_t). It seems setting SELINUXOPT to an empty value successfully tricks the build system to skip its SELinux relabeling step, then Portage will take care of it like normal.