From d672ac3bff9adf7ce05afe5ba0362993ce2cb032 Mon Sep 17 00:00:00 2001
From: Karl Rister <krister@redhat.com>
Date: Thu, 7 May 2026 16:46:58 -0500
Subject: [PATCH] fix: add --security-opt label=disable to buildah from

Prevents SELinux MCS category mismatch when buildah runs inside a
podman container. Without this, the nested buildah container gets
different MCS labels than the outer container, blocking access to
/etc/resolv.conf and causing DNS resolution failures during image
builds.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 workshop.pl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/workshop.pl b/workshop.pl
index 2a99de3..8ead8bb 100755
--- a/workshop.pl
+++ b/workshop.pl
@@ -1902,7 +1902,7 @@ sub update_container_pkgs {
 
 # create a new container based on the userenv source
 logger('info', "Creating temporary container...\n");
-($command, $command_output, $rc) = run_command("buildah from --name $tmp_container $origin_image_id");
+($command, $command_output, $rc) = run_command("buildah from --security-opt label=disable --name $tmp_container $origin_image_id");
 if ($rc != 0) {
     logger('info', "failed\n", 1);
     command_logger('error', $command, $rc, $command_output);