From e2d39cf58e3ab53646c5a05d27f9d9e6576b8ade Mon Sep 17 00:00:00 2001
From: nkraetzschmar <9020053+nkraetzschmar@users.noreply.github.com>
Date: Wed, 5 Jul 2023 11:48:49 +0200
Subject: [PATCH] document SELinux build requirements and update builder
 (#1701)

---
 README.md |  7 +++++++
 build     | 11 +++++++++--
 2 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index fc4ad68f2..cc1667b4f 100644
--- a/README.md
+++ b/README.md
@@ -81,6 +81,13 @@ To successfully build the project, ensure the following requirements are met:
 - **Memory:** The build process may require up to 8GiB of memory, depending on the selected targets. If your system has insufficient RAM, configure swap space accordingly.
 - **Container Engine:** The Builder has minimal dependencies and only requires a working container engine. It is recommended to use rootless Podman. Please refer to the [Podman rootless setup guide](https://github.com/containers/podman/blob/main/docs/tutorials/rootless_tutorial.md) for instructions on setting it up.
 
+### SELinux
+
+If you intend to build targets with the `_selinux` feature some additional requirements apply to the build machine.
+Building the `_selinux` feature will not work on machines running in SELinux enforcing mode. Ideally you should build on a build machine with SELinux disabled, but if you want to build with SELinux in permissive mode this can be achieved by running build as root with the `--privileged` flag.
+
+i.e.: `sudo ./build --privileged ${target}`
+
 ## Secureboot
 
 If you intend to build targets with the `_secureboot` feature, you must first build the secureboot certificates.
diff --git a/build b/build
index 9225ef219..8e9497e54 100755
--- a/build
+++ b/build
@@ -2,7 +2,7 @@
 
 set -eufo pipefail
 
-container_image=ghcr.io/gardenlinux/builder:d2d902dea6ee0c723189da4ea1b08d808414472c
+container_image=ghcr.io/gardenlinux/builder:33f40419183261641b2fb702240b8bde44ee0f1c
 container_engine=podman
 target_dir=.build
 
@@ -13,6 +13,8 @@ container_run_opts=(
 	--read-only
 )
 
+container_cmd=()
+
 use_kms=0
 resolve_cname=0
 
@@ -30,6 +32,11 @@ while [ $# -gt 0 ]; do
 			declare -a "container_run_opts=($2)"
 			shift 2
 			;;
+		--privileged)
+			container_run_opts+=(--privileged)
+			container_cmd=(--second-stage)
+			shift
+			;;
 		--kms)
 			use_kms=1
 			shift
@@ -98,4 +105,4 @@ if [ -d cert ]; then
 	container_mount_opts+=(-v "$PWD/cert:/builder/cert:ro")
 fi
 
-"$container_engine" run --rm "${container_run_opts[@]}" "${container_mount_opts[@]}" "$container_image" make --no-print-directory -C /builder "${make_opts[@]}" "$@"
+"$container_engine" run --rm "${container_run_opts[@]}" "${container_mount_opts[@]}" "$container_image" "${container_cmd[@]}" make --no-print-directory -C /builder "${make_opts[@]}" "$@"