Incompatable with SELinux

[Hyperboid]

When running libdragon init on Fedora Server 39, it fails with the following error:

Command docker exec --workdir /libdragon/libdragon -u 1000:1000 -i 5686f4bc6577c7604336f5e16e3bd92a5493bb791edc40b4a331694175df258e /bin/bash ./build.sh exited with code 126.
Command error output:
/bin/bash: ./build.sh: Permission denied

SELinux Logs during libdragon init

type=AVC msg=audit(1716793122.966:814): avc:  denied  { write } for  pid=8150 comm="mkdir" name="libdragon" dev="dm-0" ino=10808131 scontext=system_u:system_r:container_t:s0:c694,c764 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1716793122.966:815): avc:  denied  { add_name } for  pid=8150 comm="mkdir" name="build" scontext=system_u:system_r:container_t:s0:c694,c764 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1716793122.966:816): avc:  denied  { create } for  pid=8150 comm="mkdir" name="build" scontext=system_u:system_r:container_t:s0:c694,c764 tcontext=system_u:object_r:user_home_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1716793123.018:817): avc:  denied  { write } for  pid=8169 comm="cc1" name="build" dev="dm-0" ino=28758875 scontext=system_u:system_r:container_t:s0:c694,c764 tcontext=system_u:object_r:user_home_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1716793123.018:818): avc:  denied  { add_name } for  pid=8169 comm="cc1" name="fmath.d" scontext=system_u:system_r:container_t:s0:c694,c764 tcontext=system_u:object_r:user_home_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1716793123.018:819): avc:  denied  { create } for  pid=8169 comm="cc1" name="fmath.d" scontext=system_u:system_r:container_t:s0:c694,c764 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1
type=AVC msg=audit(1716793123.018:820): avc:  denied  { write open } for  pid=8169 comm="cc1" path="/libdragon/libdragon/build/fmath.d" dev="dm-0" ino=28758876 scontext=system_u:system_r:container_t:s0:c694,c764 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1
type=AVC msg=audit(1716793123.020:821): avc:  denied  { write } for  pid=8170 comm="as" name="build" dev="dm-0" ino=28758875 scontext=system_u:system_r:container_t:s0:c694,c764 tcontext=system_u:object_r:user_home_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1716793123.020:822): avc:  denied  { add_name } for  pid=8170 comm="as" name="fmath.o" scontext=system_u:system_r:container_t:s0:c694,c764 tcontext=system_u:object_r:user_home_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1716793123.020:823): avc:  denied  { read } for  pid=8170 comm="as" path="/libdragon/libdragon/build/fmath.o" dev="dm-0" ino=28758877 scontext=system_u:system_r:container_t:s0:c694,c764 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1
type=AVC msg=audit(1716793123.156:824): avc:  denied  { create } for  pid=8200 comm="mkdir" name="libcart" scontext=system_u:system_r:container_t:s0:c694,c764 tcontext=system_u:object_r:user_home_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1716793124.635:826): avc:  denied  { setattr } for  pid=8382 comm="ld" name="rsp_crash.o" dev="dm-0" ino=28759187 scontext=system_u:system_r:container_t:s0:c694,c764 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1
type=AVC msg=audit(1716793124.637:827): avc:  denied  { remove_name } for  pid=8384 comm="mv" name="rsp_crash.o" dev="dm-0" ino=28759187 scontext=system_u:system_r:container_t:s0:c694,c764 tcontext=system_u:object_r:user_home_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1716793124.637:828): avc:  denied  { rename } for  pid=8384 comm="mv" name="rsp_crash.o" dev="dm-0" ino=28759187 scontext=system_u:system_r:container_t:s0:c694,c764 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1
type=AVC msg=audit(1716793124.687:829): avc:  denied  { unlink } for  pid=8398 comm="rm" name="rsp_crash.text.bin" dev="dm-0" ino=28759188 scontext=system_u:system_r:container_t:s0:c694,c764 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1
type=AVC msg=audit(1716793126.462:831): avc:  denied  { write } for  pid=8647 comm="cc1" name="tools" dev="dm-0" ino=818563 scontext=system_u:system_r:container_t:s0:c694,c764 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1716793126.462:832): avc:  denied  { add_name } for  pid=8647 comm="cc1" name="n64tool.d" scontext=system_u:system_r:container_t:s0:c694,c764 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1716793126.592:833): avc:  denied  { remove_name } for  pid=8662 comm="mips64-elf-ar" name="stI8byUA" dev="dm-0" ino=10808271 scontext=system_u:system_r:container_t:s0:c694,c764 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1716793131.859:834): avc:  denied  { rmdir } for  pid=8886 comm="rm" name="libcart" dev="dm-0" ino=818599 scontext=system_u:system_r:container_t:s0:c694,c764 tcontext=system_u:object_r:user_home_t:s0 tclass=dir permissive=1

[anacierdem]

@PolyPoyo Is it possible that your docker requires root?

[Hyperboid]

@PolyPoyo Is it possible that your docker requires root?

No, it works just fine when in Permissive mode

[anacierdem]

Ok, -u 1000:1000 already suggests the same.
Can you share the full output of;
libdragon version and,
libdragon init -v?
Also how exactly do you install/use the tool, it might also help to debug the problem.

[anacierdem]

I also suggest upgrading to latest.

[loganmc10]

I have the same problem on Fedora 41

Initializing a libdragon project at /var/home/loganmc10/git_stuff/N64brew-GameJam2024
/var/home/loganmc10/git_stuff/N64brew-GameJam2024/.libdragon exists. This is already a libdragon project, starting it...
Creating new container...
Successfully initialized docker container: zealous_roentgen
libdragon is a submodule.
Using libdragon as a submodule vendoring target.
Installing libdragon to the container...
Command docker exec --workdir /libdragon/libdragon -u 1000:1000 -i c171c7dfcf9f799dd6f50bacdbf1bda9b2b2558ce5127c58b4c166efe3384cd3 /bin/bash ./build.sh exited with code 126.
Command error output:
/bin/bash: ./build.sh: Permission denied

I grabbed the latest version from the release page.

[loganmc10]

From SELinux:

type=AVC msg=audit(1738917729.260:9066): avc:  denied  { read } for  pid=1310285 comm="bash" name="build.sh" dev="dm-0" ino=13350355 scontext=system_u:system_r:container_t:s0:c198,c767 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=0

[loganmc10]

https://docs.docker.com/engine/storage/bind-mounts/#configure-the-selinux-label

[anacierdem]

Interesting. Not sure if this is caused by the packaged executable either. I’ll probably need someone with Fedora or SELinux to debug the issue. In general there are very few linux users and that’s probably why this wasn’t caught for a very long time.

I wonder if that z flag applies to Fedora or not…

For a bit of a lead here: the most straightforward strategy is making the tool exit just after it fails and manually execute the docker command to replicate & search for a solution.

[loganmc10]

The problem is the way that it mounts the /libdragon volume

/var/home/loganmc10/Downloads/libdragon:/libdragon

needs to be (capital Z)

/var/home/loganmc10/Downloads/libdragon:/libdragon:Z

I'm not exactly sure where this /libdragon mount is declared though, I don't see it in the docker exec command

[anacierdem]

libdragon-docker/modules/actions/start.js

Line 37 in 84e0c06

'type=bind,source=' +

It does use the older —mount though.

[loganmc10]

For example I can see right now it does this:

docker run -d --mount type=bind,source=/var/home/loganmc10/Downloads/libdragon,target=/libdragon -w=/libdragon ghcr.io/dragonminded/libdragon:latest tail -f /dev/null

According to Docker: "It is not possible to modify the SELinux label using the --mount flag."

So it would need to be:

docker run -d -v /var/home/loganmc10/Downloads/libdragon:/libdragon:Z -w=/libdragon ghcr.io/dragonminded/libdragon:latest tail -f /dev/null

[anacierdem]

Looks like a permanent change on filesystem (from docker docs) and I honestly don’t know what are “label”s in the context of SELinux.

edit: I think this is the relevant feature

[anacierdem]

I think we will need explicit approval from the user to add that label. It can be an SELinux specific config flag that you need to initially provide to lock the project to a given host path. But then it is not transferable to another system. I think providing the path manually as a flag on every init might be an ok solution.

[loganmc10]

Yes it is a change to the filesystem, if you are worried about making these changes via the program, you could add some documentation like this:

loganmc10@fedora:~/git_stuff$ chcon -Rt container_file_t N64brew-GameJam2024
loganmc10@fedora:~/git_stuff$ chmod -R 777 N64brew-GameJam2024
loganmc10@fedora:~/git_stuff$ cd N64brew-GameJam2024
loganmc10@fedora:~/git_stuff$ libdragon init

This is what I need to do to get it to work on my system. chcon sets the correct SELinux label (this is the same thing that :Z does with docker). I also needed to do chmod -R 777 to make the folder world-writable. I think this is because you are setting the docker user to UID 1000, but the files are owned by my user (loganmc10)

[anacierdem]

Adding documentation is also a good middle ground as this is rather technical so I don’t expect an average user needing support for SELinux.

Docker user id is set to your actual user id so world-writable shouldn’t be necessary. At which point do you get an error wheb you don’t do that? Maybe there is something different with how SELinus handles users.

[loganmc10]

oh haha true, I realize that I am UID 1000. This may be a Podman thing, I am using Podman rather than Docker. I notice that the files are created by UID 525287, which is probably a random UID generated by Podman

[anacierdem]

On second thought, it should be the uid running the cli so I can’t think a way podman can change things 🤔