Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add SELinux context option to volume mounts in build-images target
Add the `:z` option to the volume mounts for the Go cache directory in the `build-images` Makefile target. This ensures that the mounted volume is correctly relabelled with a private SELinux context, making the content accessible only to the single container using it. The `:z` option is necessary for the following reasons: 1. SELinux requires explicit context labelling for volumes to ensure proper access control. 2. Use `:z` (private context) to enhance security by preventing other containers from accessing the Go cache volume, which is only needed by the container performing the build process. Without this change, builds fail on systems with SELinux enabled because the container lacks the necessary permissions to access the unlabelled host directory. The `:z` option corrects this by providing the appropriate SELinux context. We do not use `:Z` (shared context) because the Go cache is intended for use by a single container at a time, and `:z` provides stricter access control suited for this scenario. This change is appropriate for both Docker and Podman, as both container engines support the `:z` and `:Z` options for setting SELinux context on volume mounts. Signed-off-by: Andrew McDermott <amcdermo@redhat.com>
- Loading branch information
