Podman doesn't support SELinux labels #1260

oherrala · 2023-05-17T10:44:49Z

This PR adds SELinux labels to volume mounts on other engines than Podman.

Fixes #756

Emilgardis · 2023-05-17T11:00:25Z

Awesome!

It's only podman on macos which doesn't support SELinux labels, no?

oherrala · 2023-05-17T11:48:31Z

@Emilgardis Yes, I think this is macOS only issue and I'll change the PR to reflect that.

Emilgardis

lgtm! Only needing a changeset file, see https://github.com/cross-rs/cross/blob/main/.changes/README.md

Emilgardis · 2023-05-17T15:23:42Z

src/docker/local.rs

+    #[cfg(target_os = "macos")]
+    let (selinux, selinux_ro) = if engine.kind.is_podman() {
+        ("", ":ro")
+    } else {
+        (":z", ":z,ro")
+    };
+    #[cfg(not(target_os = "macos"))]
+    let (selinux, selinux_ro) = (":z", ":z,ro");


I don't think this is technically correct, rather we should get the os of the fs host and if it's using Plan 9/v9fs/9p

the problem is that the client could be different from what cross is compiled for, e.g running podman in podman

unfortunately, there doesn't seem to be a way to determine what we're on, due to the fs abstraction podman has

here's what's available

podman info -f "{{json .}}" | jq { "host": { "arch": "arm64", "buildahVersion": "1.30.0", "cgroupManager": "systemd", "cgroupVersion": "v2", "cgroupControllers": [ "cpu", "io", "memory", "pids" ], "conmon": { "package": "conmon-2.1.7-2.fc38.aarch64", "path": "/usr/bin/conmon", "version": "conmon version 2.1.7, commit: " }, "cpus": 1, "cpuUtilization": { "userPercent": 1.63, "systemPercent": 3.79, "idlePercent": 94.58 }, "databaseBackend": "boltdb", "distribution": { "distribution": "fedora", "variant": "coreos", "version": "38" }, "eventLogger": "journald", "hostname": "localhost.localdomain", "idMappings": { "gidmap": [ { "container_id": 0, "host_id": 1000, "size": 1 }, { "container_id": 1, "host_id": 100000, "size": 1000000 } ], "uidmap": [ { "container_id": 0, "host_id": 501, "size": 1 }, { "container_id": 1, "host_id": 100000, "size": 1000000 } ] }, "kernel": "6.2.15-300.fc38.aarch64", "logDriver": "journald", "memFree": 1680568320, "memTotal": 2049077248, "networkBackend": "netavark", "ociRuntime": { "name": "crun", "package": "crun-1.8.4-1.fc38.aarch64", "path": "/usr/bin/crun", "version": "crun version 1.8.4\ncommit: 5a8fa99a5e41facba2eda4af12fa26313918805b\nrundir: /run/user/501/crun\nspec: 1.0.0\n+SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +LIBKRUN +WASM:wasmedge +YAJL" }, "os": "linux", "remoteSocket": { "path": "/run/user/501/podman/podman.sock", "exists": true }, "serviceIsRemote": true, "security": { "apparmorEnabled": false, "capabilities": "CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT", "rootless": true, "seccompEnabled": true, "seccompProfilePath": "/usr/share/containers/seccomp.json", "selinuxEnabled": true }, "slirp4netns": { "executable": "/usr/bin/slirp4netns", "package": "slirp4netns-1.2.0-12.fc38.aarch64", "version": "slirp4netns version 1.2.0\ncommit: 656041d45cfca7a4176f6b7eed9e4fe6c11e8383\nlibslirp: 4.7.0\nSLIRP_CONFIG_VERSION_MAX: 4\nlibseccomp: 2.5.3" }, "swapFree": 0, "swapTotal": 0, "uptime": "0h 2m 43.00s", "linkmode": "dynamic" }, "store": { "configFile": "/var/home/core/.config/containers/storage.conf", "containerStore": { "number": 0, "paused": 0, "running": 0, "stopped": 0 }, "graphDriverName": "overlay", "graphOptions": {}, "graphRoot": "/var/home/core/.local/share/containers/storage", "graphRootAllocated": 106769133568, "graphRootUsed": 2610094080, "graphStatus": { "Backing Filesystem": "xfs", "Native Overlay Diff": "true", "Supports d_type": "true", "Using metacopy": "false" }, "imageCopyTmpDir": "/var/tmp", "imageStore": { "number": 1 }, "runRoot": "/run/user/501/containers", "volumePath": "/var/home/core/.local/share/containers/storage/volumes", "transientStore": false }, "registries": { "search": [ "docker.io" ] }, "plugins": { "volume": [ "local" ], "network": [ "bridge", "macvlan", "ipvlan" ], "log": [ "passthrough", "journald" ], "authorization": null }, "version": { "APIVersion": "4.5.0", "Version": "4.5.0", "GoVersion": "go1.20.2", "GitCommit": "", "BuiltTime": "Fri Apr 14 17:41:12 2023", "Built": 1681486872, "OsArch": "linux/arm64", "Os": "linux" } }

_{interestingly, server says selinux is available, oh well...}

and version

podman version -f "{{json .}}" | jq { "Client": { "APIVersion": "4.5.0", "Version": "4.5.0", "BuiltTime": "Fri Apr 14 15:28:20 2023", "Built": 1681478900, "OsArch": "darwin/arm64", "Os": "darwin" }, "Server": { "APIVersion": "4.5.0", "Version": "4.5.0", "GoVersion": "go1.20.2", "GitCommit": "", "BuiltTime": "Fri Apr 14 17:41:12 2023", "Built": 1681486872, "OsArch": "linux/arm64", "Os": "linux" } }

Podman in podman is difficult. Inside podman's virtual machine everything looks like Linux.

But at least this fixes cross when ran with podman on macOS.

Emilgardis · 2023-05-18T11:24:16Z

Thanks!

bors r+

bors · 2023-05-18T11:38:13Z

Build succeeded!

The publicly hosted instance of bors-ng is deprecated and will go away soon.

If you want to self-host your own instance, instructions are here.
For more help, visit the forum.

If you want to switch to GitHub's built-in merge queue, visit their help page.

conclusion

oherrala force-pushed the fix-podman branch from 7f11fdc to 928528f Compare May 17, 2023 10:46

Emilgardis added the no-ci-targets PRs that do not affect or should skip any cross-compilation targets. label May 17, 2023

oherrala force-pushed the fix-podman branch 2 times, most recently from e426339 to 04ab196 Compare May 17, 2023 12:07

Emilgardis approved these changes May 17, 2023

View reviewed changes

oherrala force-pushed the fix-podman branch from 04ab196 to 8de5e87 Compare May 18, 2023 06:43

oherrala marked this pull request as ready for review May 18, 2023 06:44

oherrala requested a review from a team as a code owner May 18, 2023 06:44

Podman doesn't support SELinux labels

3b7b0d2

oherrala force-pushed the fix-podman branch from 8de5e87 to 3b7b0d2 Compare May 18, 2023 08:12

bors bot merged commit b7f7ace into cross-rs:main May 18, 2023

oherrala deleted the fix-podman branch May 18, 2023 17:22

Emilgardis added this to the v0.3.0 milestone Nov 1, 2023

Emilgardis mentioned this pull request May 28, 2024

Podman Fails on macOS due to SELinux Labels #756

Closed

11 tasks

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Podman doesn't support SELinux labels #1260

Podman doesn't support SELinux labels #1260

Uh oh!

oherrala commented May 17, 2023

Uh oh!

Emilgardis commented May 17, 2023

Uh oh!

oherrala commented May 17, 2023

Uh oh!

Emilgardis left a comment

Uh oh!

Emilgardis May 17, 2023

Uh oh!

oherrala May 18, 2023

Uh oh!

Emilgardis commented May 18, 2023

Uh oh!

bors bot commented May 18, 2023

Uh oh!

Uh oh!

Podman doesn't support SELinux labels #1260

Podman doesn't support SELinux labels #1260

Uh oh!

Conversation

oherrala commented May 17, 2023

Uh oh!

Emilgardis commented May 17, 2023

Uh oh!

oherrala commented May 17, 2023

Uh oh!

Emilgardis left a comment

Choose a reason for hiding this comment

Uh oh!

Emilgardis May 17, 2023

Choose a reason for hiding this comment

Uh oh!

oherrala May 18, 2023

Choose a reason for hiding this comment

Uh oh!

Emilgardis commented May 18, 2023

Uh oh!

bors bot commented May 18, 2023

Uh oh!

Uh oh!