[S] Change in coreboot[main]: util/docker: Place proper SELinux labels on volumes - coreboot-gerrit

22 Mar 2024

Nicholas Sudsgaard has uploaded this change for review. ( https://review.coreboot.org/c/coreboot/+/81420?usp=email )
Change subject: util/docker: Place proper SELinux labels on volumes
......................................................................
util/docker: Place proper SELinux labels on volumes
Without the :z (or :Z) option SELinux will deny running processes in the
container. :z is used instead of :Z, as sharing the container content is
wanted in this situation.
There are some pitfalls of using the :z or :Z option, however, as far as
I know there should not be any issues with that when using this makefile.
TEST=Works with an SELinux enabled system (Fedora 39)
Change-Id: I0a5000471d3578ddb79f532af4713f289919e2da
Signed-off-by: Nicholas Sudsgaard devel+coreboot@nsudsgaard.com
---
M util/docker/Makefile
1 file changed, 9 insertions(+), 9 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/20/81420/1

diff --git a/util/docker/Makefile b/util/docker/Makefile
index 45562d7..f3c4acf 100644
--- a/util/docker/Makefile
+++ b/util/docker/Makefile
@@ -109,8 +109,8 @@
docker-run-local: test-docker $(DOCKER_CCACHE)
    $(DOCKER) run -it --rm \
-		--volume $(DOCKER_CCACHE):/home/coreboot/.ccache \
-		--volume $(top):/home/coreboot/coreboot \
+		--volume $(DOCKER_CCACHE):/home/coreboot/.ccache:z \
+		--volume $(top):/home/coreboot/coreboot:z \
    	--env HOME=/home/coreboot \
    	--user $(UID):$(GID) \
    	coreboot/coreboot-sdk:$(COREBOOT_IMAGE_TAG) \
@@ -146,7 +146,7 @@
 docker-jenkins-server: test-docker-cache-dir test-docker
    $(DOCKER) run -d --privileged --restart=always \
    	-p $(COREBOOT_JENKINS_PORT):49151 \
-		-v $(COREBOOT_JENKINS_CACHE_DIR):/data/cache \
+		-v $(COREBOOT_JENKINS_CACHE_DIR):/data/cache:z \
    	--name=$(COREBOOT_JENKINS_CONTAINER) \
    	coreboot/coreboot-jenkins-node:$(COREBOOT_IMAGE_TAG)
@@ -154,8 +154,8 @@
    $(DOCKER) run -u root -it --privileged \
    	--entrypoint="/bin/bash" \
    	-p $(COREBOOT_JENKINS_PORT):49151 \
-		-v $(top):/home/coreboot/coreboot \
-		-v $(COREBOOT_JENKINS_CACHE_DIR):/data/cache \
+		-v $(top):/home/coreboot/coreboot:z \
+		-v $(COREBOOT_JENKINS_CACHE_DIR):/data/cache:z \
    	--name=$(COREBOOT_JENKINS_CONTAINER) \
    	--rm coreboot/coreboot-jenkins-node:$(COREBOOT_IMAGE_TAG)
@@ -164,7 +164,7 @@
    $(DOCKER) run -u $(USER) -it \
    	-e COLUMNS=$(shell tput cols) -e LINES=$(shell tput lines) -e TERM=$(TERM) \
    	-w /home/coreboot/coreboot \
-		-v $(top):/home/coreboot/coreboot \
+		-v $(top):/home/coreboot/coreboot:z \
    	--rm coreboot/coreboot-sdk:$(COREBOOT_IMAGE_TAG) \
    	/bin/bash -l
@@ -180,14 +180,14 @@
    mkdir -p $(top)/Documentation/_build
    $(DOCKER) run -it --rm \
    	--user $(UID):$(GID) \
-		-v "$(top)/:/data-in/:ro" \
-		-v "$(top)/Documentation/_build/:/data-out/" \
+		-v "$(top)/:/data-in/:ro,z" \
+		-v "$(top)/Documentation/_build/:/data-out/:z" \
    	doc.coreboot.org
docker-livehtml-docs: test-docker
 docker-livehtml-docs:
    $(DOCKER) run -it --rm \
-		--net=host -v "$(top)/:/data-in/:ro" \
+		--net=host -v "$(top)/:/data-in/:ro,z" \
    	doc.coreboot.org livehtml
help:
-- 
To view, visit https://review.coreboot.org/c/coreboot/+/81420?usp=email
To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings

Gerrit-Project: coreboot
Gerrit-Branch: main
Gerrit-Change-Id: I0a5000471d3578ddb79f532af4713f289919e2da
Gerrit-Change-Number: 81420
Gerrit-PatchSet: 1
Gerrit-Owner: Nicholas Sudsgaard devel+coreboot@nsudsgaard.com
Gerrit-MessageType: newchange



    