Skip to content

fix: add --security-opt label=disable to buildah from#113

Merged
k-rister merged 2 commits into
masterfrom
selinux-buildah-fix
May 8, 2026
Merged

fix: add --security-opt label=disable to buildah from#113
k-rister merged 2 commits into
masterfrom
selinux-buildah-fix

Conversation

@k-rister
Copy link
Copy Markdown
Contributor

@k-rister k-rister commented May 7, 2026

Summary

  • Replace 26 dead exit codes with UNAVAILABLE markers to prevent reuse
  • Add --security-opt label=disable to buildah from to prevent SELinux MCS category mismatch when buildah runs inside a podman container

Without the SELinux fix, the nested buildah container gets different MCS labels than the outer container, blocking access to /etc/resolv.conf and causing DNS resolution failures during engine image builds on systems with SELinux enforcing.

Test plan

  • Build an engine image on a system with SELinux enforcing
  • Verify DNS resolution works inside the buildah chroot

🤖 Generated with Claude Code

k-rister and others added 2 commits May 7, 2026 16:42
@k-rister @claude
feat: replace dead exit codes with UNAVAILABLE markers
3f7b9a6 
Replace 26 exit codes inherited from workshop.pl that are no longer
used in the Python implementation with sequentially numbered
UNAVAILABLE_N entries. Preserves numeric values to prevent reuse and
maintain stable exit code semantics.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@k-rister @claude
fix: add --security-opt label=disable to buildah from
fc82002 
Prevents SELinux MCS category mismatch when buildah runs inside a
podman container. Without this, the nested buildah container gets
different MCS labels than the outer container, blocking access to
/etc/resolv.conf and causing DNS resolution failures during image
builds.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@k-rister k-rister self-assigned this May 7, 2026
@k-rister k-rister requested a review from a team May 7, 2026 22:00
@project-crucible-tracking project-crucible-tracking Bot moved this to In Progress in Crucible Tracking May 7, 2026
@k-rister k-rister merged commit 52055cf into master May 8, 2026
2904 of 2952 checks passed
@k-rister k-rister deleted the selinux-buildah-fix branch May 8, 2026 15:05
@github-project-automation github-project-automation Bot moved this from In Progress to Done in Crucible Tracking May 8, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@atheurer atheurer atheurer approved these changes

Assignees

@k-rister k-rister

Labels

None yet

Projects

Crucible Tracking
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@k-rister @atheurer