Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Building OPA with SELinux enforced #6054

Closed
zregvart opened this issue Jun 28, 2023 · 1 comment · Fixed by #6055
Closed

Building OPA with SELinux enforced #6054

zregvart opened this issue Jun 28, 2023 · 1 comment · Fixed by #6055
Labels
bug

Comments

@zregvart
Copy link
Contributor

zregvart commented Jun 28, 2023
edited
Loading

Short description

Building OPA with SELinux enforced by running make fails when performing steps within a Docker container as it can't write back to the host file system. Adding :Z option to the volume mounts helps with this.

I'm happy to provide a pull request adding the :Z flag to the volume mounts.

Example:

$ sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      33

$ git rev-parse HEAD
917bc9ce7b41cd981f87c3f6e21e7b790ecc66e7

$ make
make[1]: Entering directory '/home/zregvart/tmp/opa/wasm'
make: stat: GNUmakefile: Permission denied
make: stat: makefile: Permission denied
make: stat: Makefile: Permission denied
make: stat: _obj/opa.wasm: Permission denied
make: *** No rule to make target '_obj/opa.wasm'.  Stop.
failed to resize tty, using default size
make[1]: *** [Makefile:69: build] Error 2
make[1]: Leaving directory '/home/zregvart/tmp/opa/wasm'
make: *** [Makefile:204: wasm-lib-build] Error 2

# disable SELinux
$ sudo setenforce 0

$ make
make[1]: Entering directory '/home/zregvart/tmp/opa/wasm'
make: '_obj/opa.wasm' is up to date.
make: '_obj/callgraph.csv' is up to date.
make[1]: Leaving directory '/home/zregvart/tmp/opa/wasm'
cp wasm/_obj/opa.wasm internal/compiler/wasm/opa/opa.wasm
cp wasm/_obj/callgraph.csv internal/compiler/wasm/opa/callgraph.csv
CGO_ENABLED=1 GOFLAGS="-buildmode=exe" go generate
CGO_ENABLED=1 GOFLAGS="-buildmode=exe" go build -tags=opa_wasm -o opa_linux_amd64 -ldflags " -X github.com/open-policy-agent/opa/version.Hostname=zregvart"
...

Steps To Reproduce

  1. Configure and enforce SElinux (say sudo setenforce 1)
  2. Try building by running make

Expected behavior

Build progresses regardless of SELinux being enforced.
@zregvart zregvart added the bug label Jun 28, 2023
@srenatus
Copy link
Contributor

Make needs to write to the filesystem to build OPA. So sounds like if that flag enables it to work on SELinux-enabled systems, and doesn't cause issues with the others, it would be a good contribution. Thanks!

zregvart added a commit to zregvart/opa that referenced this issue Jun 28, 2023
@zregvart
build: configure SELinux labels for Docker volumes
ec98123 
When SELinux is enforced the mounted volumes to spun Docker containers
are not writable unless the `:z` or `:Z` flag is set[1].

This opts not to share the mounts by using `:Z`.

[1] https://docs.docker.com/storage/bind-mounts/#configure-the-selinux-label

Fixes open-policy-agent#6054

Signed-off-by: Zoran Regvart <zoran@regvart.com>
@zregvart zregvart mentioned this issue Jun 28, 2023
Merged
johanfylling added a commit that referenced this issue Jun 29, 2023
@zregvart @johanfylling
build: configure SELinux labels for Docker volumes (#6055)
a50c134 
When SELinux is enforced the mounted volumes to spun Docker containers
are not writable unless the `:z` or `:Z` flag is set[1].

This opts not to share the mounts by using `:Z`.

[1] https://docs.docker.com/storage/bind-mounts/#configure-the-selinux-label

Fixes #6054

Signed-off-by: Zoran Regvart <zoran@regvart.com>
Co-authored-by: Johan Fylling <johan.dev@fylling.se>
zregvart added a commit to zregvart/opa that referenced this issue Jun 29, 2023
@zregvart
build: more SELinux labels for Docker volumes
14bb2ba 
Ref open-policy-agent#6054

Signed-off-by: Zoran Regvart <zoran@regvart.com>
zregvart added a commit to zregvart/opa that referenced this issue Jun 29, 2023
@zregvart
build: more SELinux labels for Docker volumes
e84c017 
Ref open-policy-agent#6054

Signed-off-by: Zoran Regvart <zoran@regvart.com>
@zregvart zregvart mentioned this issue Jun 29, 2023
Merged
zregvart added a commit to zregvart/opa that referenced this issue Jun 29, 2023
@zregvart
build: more SELinux labels for Docker volumes
b462f44 
Ref open-policy-agent#6054

Signed-off-by: Zoran Regvart <zoran@regvart.com>
johanfylling added a commit that referenced this issue Jun 29, 2023
@zregvart @johanfylling
build: more SELinux labels for Docker volumes (#6061)
1ad3992 
Ref #6054

Signed-off-by: Zoran Regvart <zoran@regvart.com>
Co-authored-by: Johan Fylling <johan.dev@fylling.se>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

build: configure SELinux labels for Docker volumes zregvart/opa
2 participants
@srenatus @zregvart