Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Building OPA with SELinux enforced #6054

Closed
zregvart opened this issue Jun 28, 2023 · 1 comment · Fixed by #6055
Closed

Building OPA with SELinux enforced #6054

zregvart opened this issue Jun 28, 2023 · 1 comment · Fixed by #6055
Labels

Comments

@zregvart
Copy link
Contributor

zregvart commented Jun 28, 2023

Short description

Building OPA with SELinux enforced by running make fails when performing steps within a Docker container as it can't write back to the host file system. Adding :Z option to the volume mounts helps with this.

I'm happy to provide a pull request adding the :Z flag to the volume mounts.

Example:

$ sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      33

$ git rev-parse HEAD
917bc9ce7b41cd981f87c3f6e21e7b790ecc66e7

$ make
make[1]: Entering directory '/home/zregvart/tmp/opa/wasm'
make: stat: GNUmakefile: Permission denied
make: stat: makefile: Permission denied
make: stat: Makefile: Permission denied
make: stat: _obj/opa.wasm: Permission denied
make: *** No rule to make target '_obj/opa.wasm'.  Stop.
failed to resize tty, using default size
make[1]: *** [Makefile:69: build] Error 2
make[1]: Leaving directory '/home/zregvart/tmp/opa/wasm'
make: *** [Makefile:204: wasm-lib-build] Error 2

# disable SELinux
$ sudo setenforce 0

$ make
make[1]: Entering directory '/home/zregvart/tmp/opa/wasm'
make: '_obj/opa.wasm' is up to date.
make: '_obj/callgraph.csv' is up to date.
make[1]: Leaving directory '/home/zregvart/tmp/opa/wasm'
cp wasm/_obj/opa.wasm internal/compiler/wasm/opa/opa.wasm
cp wasm/_obj/callgraph.csv internal/compiler/wasm/opa/callgraph.csv
CGO_ENABLED=1 GOFLAGS="-buildmode=exe" go generate
CGO_ENABLED=1 GOFLAGS="-buildmode=exe" go build -tags=opa_wasm -o opa_linux_amd64 -ldflags " -X github.com/open-policy-agent/opa/version.Hostname=zregvart"
...

Steps To Reproduce

  1. Configure and enforce SElinux (say sudo setenforce 1)
  2. Try building by running make

Expected behavior

Build progresses regardless of SELinux being enforced.

@zregvart zregvart added the bug label Jun 28, 2023
@srenatus
Copy link
Contributor

Make needs to write to the filesystem to build OPA. So sounds like if that flag enables it to work on SELinux-enabled systems, and doesn't cause issues with the others, it would be a good contribution. Thanks!

zregvart added a commit to zregvart/opa that referenced this issue Jun 28, 2023
When SELinux is enforced the mounted volumes to spun Docker containers
are not writable unless the `:z` or `:Z` flag is set[1].

This opts not to share the mounts by using `:Z`.

[1] https://docs.docker.com/storage/bind-mounts/#configure-the-selinux-label

Fixes open-policy-agent#6054

Signed-off-by: Zoran Regvart <[email protected]>
johanfylling added a commit that referenced this issue Jun 29, 2023
When SELinux is enforced the mounted volumes to spun Docker containers
are not writable unless the `:z` or `:Z` flag is set[1].

This opts not to share the mounts by using `:Z`.

[1] https://docs.docker.com/storage/bind-mounts/#configure-the-selinux-label

Fixes #6054

Signed-off-by: Zoran Regvart <[email protected]>
Co-authored-by: Johan Fylling <[email protected]>
zregvart added a commit to zregvart/opa that referenced this issue Jun 29, 2023
zregvart added a commit to zregvart/opa that referenced this issue Jun 29, 2023
zregvart added a commit to zregvart/opa that referenced this issue Jun 29, 2023
johanfylling added a commit that referenced this issue Jun 29, 2023
Ref #6054

Signed-off-by: Zoran Regvart <[email protected]>
Co-authored-by: Johan Fylling <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants