All of lore.kernel.org
 help / color / mirror / Atom feed
From: Thomas Petazzoni via buildroot <buildroot@buildroot.org>
To: Antoine Tenart <atenart@kernel.org>
Cc: Christian Stewart <christian@paral.in>,
	"Yann E. MORIN" <yann.morin.1998@free.fr>,
	Ricardo Martincoski <ricardo.martincoski@datacom.com.br>,
	Thomas Petazzoni via buildroot <buildroot@buildroot.org>
Subject: Re: [Buildroot] [PATCH RFC 1/2] utils/docker-run: make it compatible with SELinux
Date: Thu, 27 Jul 2023 12:24:49 +0200	[thread overview]
Message-ID: <20230727122449.3b7993c6@windsurf> (raw)
In-Reply-To: <169045318850.6100.416444363161517133@kwain>

Hello,

On Thu, 27 Jul 2023 12:19:48 +0200
Antoine Tenart <atenart@kernel.org> wrote:

> IIRC --mount was introduced for better consistency in the docker args
> and supporting names parameters (I don't know the full reasoning but
> it's probably linked to supporting APIs -like yaml definitions- in a
> better way?). While doing so they tried to fix issues in --volume and
> labeling files on mount was one of them.
> 
> The issue is both logical and practical: files should be labeled when
> being created (not when being mounted) and relabeling files "magically"
> can cause issues (eg. don't `-v /home:/home:z` !). The reasoning with
> the new --mount option is a directory should be created and configured
> on the host and then only mounted by containers (hence the directory is
> not anymore created if not present when using --mount).
> 
> So here, idk, not a docker expert :) I'd say using relabeling of a
> directory that is under Buildroot's control is probably OK. While
> replying, had a quick look at this and it seems the preferred solution
> would be instead to use the `--security-opt label=disable` option:
> labels would be kept in sync with the host and I guess the goal of using
> Docker here is not for isolating the build but to have a known
> environment. I never played with that option so please investigate
> before switching to it.

Thanks for the hint!

I tried --security-opt label=disable, and it works, at least it fixes
my permission issue, without having to do the z/Z thing. Probably it's
a better option than using z/Z that has the side effect of adding
SELinux labels on all files being mounted? To be honest, I'm not clear
on the consequences of --security-opt label=disable.

Thomas
-- 
Thomas Petazzoni, co-owner and CEO, Bootlin
Embedded Linux and Kernel engineering and training
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

  reply	other threads:[~2023-07-27 10:25 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-07-26 21:20 [Buildroot] [PATCH RFC 1/2] utils/docker-run: make it compatible with SELinux Thomas Petazzoni via buildroot
2023-07-26 21:20 ` [Buildroot] [PATCH RFC 2/2] utils/docker-run: mount the download directory if specified Thomas Petazzoni via buildroot
2023-08-08 20:50   ` Yann E. MORIN
2023-08-08 21:24     ` Thomas Petazzoni via buildroot
2023-07-27  8:13 ` [Buildroot] [PATCH RFC 1/2] utils/docker-run: make it compatible with SELinux Antoine Tenart
2023-07-27  8:48   ` Thomas Petazzoni via buildroot
2023-07-27 10:19     ` Antoine Tenart
2023-07-27 10:24       ` Thomas Petazzoni via buildroot [this message]
2023-07-27 10:50         ` Antoine Tenart
2023-07-27 11:47           ` Antoine Tenart
2023-07-27 16:21 ` Yann E. MORIN
     [not found] ` <CA+h8R2qJF87Wi_w9DBjFZO__x=Kku+hfU1_-uhn2tLegFtc37g@mail.gmail.com>
2023-07-28  7:24   ` Thomas Petazzoni via buildroot
2023-08-09 21:32 ` Yann E. MORIN

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20230727122449.3b7993c6@windsurf \
    --to=buildroot@buildroot.org \
    --cc=atenart@kernel.org \
    --cc=christian@paral.in \
    --cc=ricardo.martincoski@datacom.com.br \
    --cc=thomas.petazzoni@bootlin.com \
    --cc=yann.morin.1998@free.fr \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.