Received: from mail-ua1-f50.google.com (mail-ua1-f50.google.com [209.85.222.50]) by nld3-dev1.alpinelinux.org (Postfix) with ESMTPS id 01C9A782CBA for <~alpine/devel@lists.alpinelinux.org>; Wed, 19 May 2021 04:06:19 +0000 (UTC) Received: by mail-ua1-f50.google.com with SMTP id 14so3974079uac.9 for <~alpine/devel@lists.alpinelinux.org>; Tue, 18 May 2021 21:06:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=pC6hxJQL8b/KcAqfnED9LAYzgJADcmLFlQUAipbjMxE=; b=UPO8tO/av4VPnwLreU94Yl3BYUcCZ7te9MTTBOdF3IoLWJ+SSXO3gXbD1fIFPEoc0q bwG4uCCh8Jlp7zQQGWA3ByaSOg6SvUqLqSX64XnIfpxpP6NCl2CexQyvTHOYZUFWbQMF MJyHvd8lFcB0TfrDnwaF2zAhNbgrY079sUd8GuXI3FZ4en0iRzwytC+0V2gzCdwZn8Hh hCdac8y7mE2Q4hgkvSgKhS0HfUR2ogRiOtkfUjXwQRxjs5tFTUEk97KsuxEKamIbNDNR ktuu0VJQS6/Hnfblz1bpdVq3HYXLHMU1koeXNGK412Vw+ubTEI0TUd3jh2CDt4V3EmfS Iy7g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=pC6hxJQL8b/KcAqfnED9LAYzgJADcmLFlQUAipbjMxE=; b=MgP5bZj5hRr5d8E+tc/peAMQI2Tgyj/Z6XXg8ZPUCgR8j2fqEu58gU7zLj2rN12EJY anwI7rAYYMFQN27qQsE0ov5O7/48aYUR0vMQkv3/kjEbjJnogGhxcYsglSqiA19h0vSr is5Repk8t56f9puUBKqph8iLv4aB19UwoucUGIZvlr1382CADoJ9c71X8tmnGxKcnedf VebHymwRddxhRgxBtVGNBsI2aATMN8iH/7Ez0ew4uHIPCOJRs1iDQ2CvzjPRqS2sI3nv IDsvrAAucJ17cz4xnMxL+x7O9jjMDXfVMAkUHDTj+m1qQ3VWctozTSfBuDvie7mc2oiG tYrg== X-Gm-Message-State: AOAM532w3oNMNlV/W5QndR+3WM1KPktXgMGRX9NxQgbM7gVXurIlEbdF SNMPcFpL6mbqgtqjbxbJen7bAqGoWXYmUnHjfEY= X-Google-Smtp-Source: ABdhPJzsdy+km5osOtzAU4cmTXBzHBe45sjxrBFCKypEzzaULuk6hK3i37yd++vNIMbz1k71n8P7B/gCJLN+VrhKVtI= X-Received: by 2002:ab0:21c1:: with SMTP id u1mr11788014uan.1.1621397178155; Tue, 18 May 2021 21:06:18 -0700 (PDT) MIME-Version: 1.0 References: <20210505091919.5257051e@vostro> <1f35d58e-12df-4e2a-61ae-4b75be6164ca@dereferenced.org> In-Reply-To: <1f35d58e-12df-4e2a-61ae-4b75be6164ca@dereferenced.org> From: Ross Younger Date: Wed, 19 May 2021 16:06:06 +1200 Message-ID: Subject: Re: Containerised APK builds and security xattrs To: Ariadne Conill Cc: Timo Teras , ~alpine/devel@lists.alpinelinux.org Content-Type: multipart/alternative; boundary="000000000000d803b905c2a6f2fb" --000000000000d803b905c2a6f2fb Content-Type: text/plain; charset="UTF-8" Hi, On Thu, 6 May 2021 at 02:26, Ariadne Conill wrote: > Alpine itself does not use SELinux, so there should not be anything in > abuild adding selinux label attributes to anything. The obvious workaround seems to be to patch abuild to not include selinux labels in built packages. This certainly fits my use case, and is almost trivial: https://gitlab.alpinelinux.org/alpine/abuild/-/merge_requests/99 > It might be worth it > to see why SELinux labels from the host environment are leaking into the > container FS? If you can stop that somehow, it would save you a lot of > time. Unfortunately, I was not able to persuade Bitbucket to make any changes here. Ross --000000000000d803b905c2a6f2fb Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable

Hi,

On Thu, 6 May 2021 at 02:26, Ariadne Conill <= ;ariadne@dere= ferenced.org> wrote:
> Alpine itself does not use SELinux, so = there should not be anything in

> abuild adding selinux label at= tributes to anything.=C2=A0

The obvious workaround= seems to be to patch abuild to not include selinux labels in built package= s. This certainly fits my use case, and is almost trivial: https://gitlab= .alpinelinux.org/alpine/abuild/-/merge_requests/99

&= gt; It might be worth it

> to see why SELinux labels from the host = environment are leaking into the
> container FS?=C2=A0 If you can sto= p that somehow, it would save you a lot of
> time.

Unfortunately, I was not able to persuade Bitbucket to make any change= s here.

Ross

--000000000000d803b905c2a6f2fb--