[buildx] - SELinux policy denied

[ldelossa]

Hello,

I am working on a Fedora 34 machine with moby engine installed.

My work uses buildx to create our containers locally on our workstations.

When SELinux is enabled, building with buildx fails.

Aug 03 19:33:58 fedora audit[629437]: AVC avc:  denied  { entrypoint } for  pid=629437 comm="runc:[2:INIT]" path="/bin/dockerfile-frontend" dev="nvme0n1p2" ino=260 scontext=system_u:system_r:container_t:s0:c675,c1001 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0

Since /bin/dockerfile-frontend does not exist on my localhost, I'm assuming buildx is launching a process in it's own namespaces and attempting to access a file in its own mount namespace.

I'm to assume at first glance that whereever /bin/dockerfile-frontend lands on the host file system, it is not being labeled with the container_t domain and the policy is blocking execution.

[ldelossa]

The follow policy will fix this issue:

echo 'AVC avc:  denied  { entrypoint } for  pid=629437 comm="runc:[2:INIT]" path="/bin/dockerfile-frontend" dev="nvme0n1p2" ino=260 scontext=system_u:system_r:container_t:s0:c675,c1001 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0' | audit2allow 


#============= container_t ==============
allow container_t unlabeled_t:file entrypoint;

However this seems over-reaching and still seems like buildx/buildkit is not labeling files correctly.

[thaJeztah]

/cc @kolyshkin

[randomvariable]

Can confirm this is still an issue on fresh installs of Fedora 35.

An example is running make test-e2e-image in https://github.com/kubernetes-sigs/cluster-api-provider-aws