Merge pull request #17094 from bparees/crio_selinux

Automatic merge from submit-queue (batch tested with PRs 17476, 17143, 15115, 17094, 17500).

set selinux labels on build docker containers when running pods in crio

for bug https://bugzilla.redhat.com/show_bug.cgi?id=1507424

pkg/build/builder/docker.go

@@ -313,6 +313,11 @@ func (d *DockerBuilder) dockerBuild(dir string, tag string, secrets []buildapi.S
 	}
 	opts.NetworkMode = network
 	if len(resolvConfHostPath) != 0 {
+		cmd := exec.Command("chcon", "system_u:object_r:svirt_sandbox_file_t:s0", "/etc/resolv.conf")
+		err := cmd.Run()
+		if err != nil {
+			return fmt.Errorf("unable to set permissions on /etc/resolv.conf: %v", err)
+		}
 		opts.BuildBinds = fmt.Sprintf("[\"%s:/etc/resolv.conf\"]", resolvConfHostPath)
 	}
 	// Though we are capped on memory and cpu at the cgroup parent level,

pkg/build/builder/sti.go

@@ -7,6 +7,7 @@ import (
 	"fmt"
 	"net/url"
 	"os"
+	"os/exec"
 	"path/filepath"
 	"strings"
 	"time"
@@ -203,6 +204,11 @@ func (s *S2IBuilder) Build() error {
 	}
 
 	if len(resolvConfHostPath) != 0 {
+		cmd := exec.Command("chcon", "system_u:object_r:svirt_sandbox_file_t:s0", "/etc/resolv.conf")
+		err := cmd.Run()
+		if err != nil {
+			return fmt.Errorf("unable to set permissions on /etc/resolv.conf: %v", err)
+		}
 		config.BuildVolumes = []string{fmt.Sprintf("%s:/etc/resolv.conf", resolvConfHostPath)}
 	}