I noticed that SELINUX blocks docker build when running with the environment DOCKER_BUILDKIT=1 on Fedora CoreOS 37.20230122.1.1.
After running sudo setenforce 0 it starts to work.
I reported the issue today to the container-selinux GitHub project:
https://github.com/containers/container-selinux/issues/201
Since it used to work in the past for you you can go back to older versions of Fedora CoreOS to find where the problem was introduced. It’s good to add this information to the bug report.
Good idea. I tested older versions of Fedora CoreOS and was able to reproduce the issue on all of them. I stopped testing any more versions after going back to the version
fedora-coreos-36.20220325.1.0-live.aarch64.iso
I must have remembered things incorrectly when I thought that it worked in the past (i.e. a few months ago)
Some days ago I asked the Buildkit slack channel for advice and was told that the problem
is probably related to the issue:
It seems to be some sort of ordering problem.
Quote:
“This works correctly for labeling the process, and for labeling most mounts. However, the new generateSecurityOpts() function is called from oci.GenerateSpec, which only happens after mounting the rootfs.”
from rootfs not labeled with SELinux mount label · Issue #2320 · moby/buildkit · GitHub