On a system with an enforcing SELinux, the command make DOCKER=podman docker build fails on the docker-ui target with the error
Writing manifest to image destination
cp: cannot access '/src/.': Permission denied
make[1]: *** [Makefile:230: docker-ui] Error 1
make[1]: Leaving directory '~/src/leash'
make: *** [Makefile:245: build-ui] Error 2
This is because SELinux prevents containers from reading directories that aren't appropriately labeled, even if they're bind-mounted into the container. Podman (and Docker) can be instructed to label the directories appropriately so they are accessible, by adding the z mode to the binding directive. This should be a safe change to ship by default because it is a noop on all non-SELinux platforms as far as I know.
diff --git a/Makefile b/Makefile
index 07daa00..9ad71a6 100644
--- a/Makefile
+++ b/Makefile
@@ -231,9 +231,9 @@ docker-ui: precommit ## Build the Control UI using Docker
-e CI=true \
-e PNPM_STORE_DIR=/pnpm/store \
-e HOST_UID=$(shell id -u) -e HOST_GID=$(shell id -g) \
- -v "$(CURDIR)/controlui/web:/src:ro" \
- -v "$(CURDIR)/internal/ui/dist:/out" \
- -v "$(UI_CACHE_DIR):/cache" \
+ -v "$(CURDIR)/controlui/web:/src:ro,z" \
+ -v "$(CURDIR)/internal/ui/dist:/out:z" \
+ -v "$(UI_CACHE_DIR):/cache:z" \
-v $(PNPM_CACHE_VOLUME):/pnpm/store \
-v $(COREPACK_CACHE_VOLUME):/root/.cache/node/corepack \
-v $(NEXT_CACHE_VOLUME):/work/.next/cache \
On a system with an enforcing SELinux, the command
make DOCKER=podman docker buildfails on thedocker-uitarget with the errorThis is because SELinux prevents containers from reading directories that aren't appropriately labeled, even if they're bind-mounted into the container. Podman (and Docker) can be instructed to label the directories appropriately so they are accessible, by adding the
zmode to the binding directive. This should be a safe change to ship by default because it is a noop on all non-SELinux platforms as far as I know.