[makefile] disable security labeling instead of using --privileged

$(CURDIR) is mounted in podman as is which causes issues on systems with SELinux as then the container cannot read or write anything inside /src/. This has been worked around with the --privileged flag, but that's a rather brutal solution. Adding :Z is also suboptimal, as that requires a full relabeling after every run. Instead, we disable security labeling via `--security-opt label=disable` for this development container allowing us to run `make vendor-in-container` unprivileged. Signed-off-by: Dan Čermák <dcermak@suse.com>
author: Dan Čermák <dcermak@suse.com> 2022-08-25 10:56:41 +0200
committer: Dan Čermák <dcermak@suse.com> 2022-08-29 09:03:52 +0200
commit: dcb4d43570e852d9a87221d1ca83c205fa32d5a3 (patch)
tree: 2e1a1ed41af702dd280be246fd519d73c6637cd0 /Makefile
parent: d68eea60148e9fa4e24697104caa691b7e783380 (diff)
download: podman-dcb4d43570e852d9a87221d1ca83c205fa32d5a3.tar.gz
podman-dcb4d43570e852d9a87221d1ca83c205fa32d5a3.tar.bz2
podman-dcb4d43570e852d9a87221d1ca83c205fa32d5a3.zip
1 files changed, 2 insertions, 1 deletions
diff --git a/Makefile b/Makefile
index d10c9cf19..0ced638a6 100644
--- a/Makefile
+++ b/Makefile
@@ -285,8 +285,9 @@ vendor:
 
 .PHONY: vendor-in-container
 vendor-in-container:
-	podman run --privileged --rm --env HOME=/root \
+	podman run --rm --env HOME=/root \
 		-v $(CURDIR):/src -w /src \
+		--security-opt label=disable \
 		docker.io/library/golang:1.17 \
 		make vendor
author	Dan Čermák <dcermak@suse.com>	2022-08-25 10:56:41 +0200
committer	Dan Čermák <dcermak@suse.com>	2022-08-29 09:03:52 +0200
commit	dcb4d43570e852d9a87221d1ca83c205fa32d5a3 (patch)
tree	2e1a1ed41af702dd280be246fd519d73c6637cd0 /Makefile
parent	d68eea60148e9fa4e24697104caa691b7e783380 (diff)
download	podman-dcb4d43570e852d9a87221d1ca83c205fa32d5a3.tar.gz podman-dcb4d43570e852d9a87221d1ca83c205fa32d5a3.tar.bz2 podman-dcb4d43570e852d9a87221d1ca83c205fa32d5a3.zip