document SELinux build requirements and update builder (gardenlinux#1701

)
sapcc · Jul 5, 2023 · e2d39cf · e2d39cf
1 parent 01bcd17
commit e2d39cf
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 2 deletions.
diff --git a/README.md b/README.md
@@ -81,6 +81,13 @@ To successfully build the project, ensure the following requirements are met:
 - **Memory:** The build process may require up to 8GiB of memory, depending on the selected targets. If your system has insufficient RAM, configure swap space accordingly.
 - **Container Engine:** The Builder has minimal dependencies and only requires a working container engine. It is recommended to use rootless Podman. Please refer to the [Podman rootless setup guide](https://github.com/containers/podman/blob/main/docs/tutorials/rootless_tutorial.md) for instructions on setting it up.
 
+### SELinux
+
+If you intend to build targets with the `_selinux` feature some additional requirements apply to the build machine.
+Building the `_selinux` feature will not work on machines running in SELinux enforcing mode. Ideally you should build on a build machine with SELinux disabled, but if you want to build with SELinux in permissive mode this can be achieved by running build as root with the `--privileged` flag.
+
+i.e.: `sudo ./build --privileged ${target}`
+
 ## Secureboot
 
 If you intend to build targets with the `_secureboot` feature, you must first build the secureboot certificates.

diff --git a/build b/build
@@ -2,7 +2,7 @@
 
 set -eufo pipefail
 
-container_image=ghcr.io/gardenlinux/builder:d2d902dea6ee0c723189da4ea1b08d808414472c
+container_image=ghcr.io/gardenlinux/builder:33f40419183261641b2fb702240b8bde44ee0f1c
 container_engine=podman
 target_dir=.build
 
@@ -13,6 +13,8 @@ container_run_opts=(
 	--read-only
 )
 
+container_cmd=()
+
 use_kms=0
 resolve_cname=0
 
@@ -30,6 +32,11 @@ while [ $# -gt 0 ]; do
 			declare -a "container_run_opts=($2)"
 			shift 2
 			;;
+		--privileged)
+			container_run_opts+=(--privileged)
+			container_cmd=(--second-stage)
+			shift
+			;;
 		--kms)
 			use_kms=1
 			shift
@@ -98,4 +105,4 @@ if [ -d cert ]; then
 	container_mount_opts+=(-v "$PWD/cert:/builder/cert:ro")
 fi
 
-"$container_engine" run --rm "${container_run_opts[@]}" "${container_mount_opts[@]}" "$container_image" make --no-print-directory -C /builder "${make_opts[@]}" "$@"
+"$container_engine" run --rm "${container_run_opts[@]}" "${container_mount_opts[@]}" "$container_image" "${container_cmd[@]}" make --no-print-directory -C /builder "${make_opts[@]}" "$@"