postCreateCommand fails with EACCES using Docker Engine on an SELinux enforcing system

[strugee]

Basically, what the title says. See also #548; it appears that this bug is caused because the fix there was incomplete. In particular, having skimmed that issue to get a vague, possibly-incorrect understanding that the fix was to detect if the build phase was occurring under Buildah, I see two problems with this:

• Buildah (and Podman) can be run on non-SELinux systems, where this SELinux handling is not necessary (though AFAIK, it's a noop, so making it apply unconditionally is an option for a fix)
• SELinux restrictions are also hitting other, non-build phases - in my case, the postCreateCommand specified in devcontainer.json.

STR (these aren't my exact STR since I'm simplifying out Silverblue-related environmental setup that I'm confident doesn't matter - but if you somehow can't reproduce, I can provide more specific STR)

1. Install Fedora
2. Install Node from somewhere
3. npm install -g @devcontainers/cli
4. Clone home-assistant/core@4721f8e and cd into it
5. devcontainer up --workspace-folder .

Expected result: the command succeeds.

Actual result:

[lots of irrelevant output]
Step 10/10 : USER $IMAGE_USER
 ---> Using cache
 ---> 3876e42a0eba
Successfully built 3876e42a0eba
Successfully tagged vsc-core-6cd99f764fb93154741da6b8ffb75e0d12d5e8fa5728b883b20a277436d294a0-uid:latest
[4768 ms] Start: Run: docker run --sig-proxy=false -a STDOUT -a STDERR -p 8123:8123 -p 5683:5683/udp --mount type=bind,source=/var/home/alex/Development/core,target=/workspaces/core -l devcontainer.local_folder=/var/home/alex/Development/core -l devcontainer.config_file=/var/home/alex/Development/core/.devcontainer/devcontainer.json -e PYTHONASYNCIODEBUG=1 -e GIT_EDITOR=code --wait --entrypoint /bin/sh vsc-core-6cd99f764fb93154741da6b8ffb75e0d12d5e8fa5728b883b20a277436d294a0-uid -c echo Container started
Container started
Running the postCreateCommand from devcontainer.json...

/bin/sh: 1: script/setup: Permission denied
[7214 ms] postCreateCommand failed with exit code 126. Skipping any further user-provided commands.
Error: Command failed: /bin/sh -c script/setup
    at G7 (/var/home/alex/.local/lib/node_modules/@devcontainers/cli/dist/spec-node/devContainersSpecCLI.js:235:130)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async tm (/var/home/alex/.local/lib/node_modules/@devcontainers/cli/dist/spec-node/devContainersSpecCLI.js:227:4483)
    at async $w (/var/home/alex/.local/lib/node_modules/@devcontainers/cli/dist/spec-node/devContainersSpecCLI.js:227:3828)
    at async em (/var/home/alex/.local/lib/node_modules/@devcontainers/cli/dist/spec-node/devContainersSpecCLI.js:227:3032)
    at async pa (/var/home/alex/.local/lib/node_modules/@devcontainers/cli/dist/spec-node/devContainersSpecCLI.js:227:2438)
    at async FtA (/var/home/alex/.local/lib/node_modules/@devcontainers/cli/dist/spec-node/devContainersSpecCLI.js:465:1534)
    at async bH (/var/home/alex/.local/lib/node_modules/@devcontainers/cli/dist/spec-node/devContainersSpecCLI.js:465:964)
    at async TtA (/var/home/alex/.local/lib/node_modules/@devcontainers/cli/dist/spec-node/devContainersSpecCLI.js:482:3848)
    at async iB (/var/home/alex/.local/lib/node_modules/@devcontainers/cli/dist/spec-node/devContainersSpecCLI.js:482:4963)
{"outcome":"error","message":"Command failed: /bin/sh -c script/setup","description":"The postCreateCommand in the devcontainer.json failed.","containerId":"436ea8eaa4dfec5e42c5011ea09cbc45b7f980d8922054c7e93e1ce70cf6bc38"}

Environment info:

% docker --version
Docker version 24.0.5, build %{shortcommit_cli}

% devcontainer --version
0.71.0

% node --version
v20.12.2

% cat /etc/os-release # This is talking about a container image because I'm using Fedora Silverblue and running these commands inside a https://containertoolbx.org/ container - but Docker is running on the host; see below
NAME="Fedora Linux"
VERSION="39 (Container Image)"
ID=fedora
VERSION_ID=39
VERSION_CODENAME=""
PLATFORM_ID="platform:f39"
PRETTY_NAME="Fedora Linux 39 (Container Image)"
ANSI_COLOR="0;38;2;60;110;180"
LOGO=fedora-logo-icon
CPE_NAME="cpe:/o:fedoraproject:fedora:39"
DEFAULT_HOSTNAME="fedora"
HOME_URL="https://fedoraproject.org/"
DOCUMENTATION_URL="https://docs.fedoraproject.org/en-US/fedora/f39/system-administrators-guide/"
SUPPORT_URL="https://ask.fedoraproject.org/"
BUG_REPORT_URL="https://bugzilla.redhat.com/"
REDHAT_BUGZILLA_PRODUCT="Fedora"
REDHAT_BUGZILLA_PRODUCT_VERSION=39
REDHAT_SUPPORT_PRODUCT="Fedora"
REDHAT_SUPPORT_PRODUCT_VERSION=39
SUPPORT_END=2024-11-12
VARIANT="Container Image"
VARIANT_ID=container

% type docker
docker is /var/home/alex/bin/docker

% cat ~/bin/docker # Basically, this script detects whether it's being run inside a toolbx container, and if it is, it runs the real command on the host instead of the container, to circumvent container-inside-container issues
#!/bin/sh

BINARY=$(basename $0)

CMDPREFIX=
test -f /run/.toolboxenv && CMDPREFIX='flatpak-spawn --host'

# Can't use `command` because this is a script, not a function/alias.
# This is evil because it breaks with paths including newlines, but those paths are evil anyway.
exec $CMDPREFIX $($CMDPREFIX which -a $BINARY | grep -Fve '~/bin/' -e ~/bin/ | head -1) "$@"

% flatpak-spawn --host getenforce # flatpak-spawn because getenforce doesn't exist inside the toolbx container image
Enforcing

[chrmarti]

We are using --mount to mount the workspace folder and Docker doesn't support the SELinux flags with that (Podman does). The recommendation appears to be to set these flags on the host folder with chcon.

The Dev Containers CLI could try to detect this and add the label itself. (Though I would need a better understanding of the security implications first.)