[BUG] docker-buildx fails to build when selinux is enabled

[eledu81]

Migrated from docker-compose issue #10191

docker-buildx fails to build a dockerfile that RUN a command that requires elevated privileges when SELinux is enabled in the host OS

Steps To Reproduce

1. Create a Dockerfile

FROM alpine:3.17.1
RUN set -x && apk add -u bash

2. Create compose.yml

services:
  test:
    image: test
    build: .

3. Run docker-buildx

docker buildx build .

[+] Building 4.8s (4/5)
 => [internal] load build definition from Dockerfile                                                               0.0s
 => => transferring dockerfile: 145B                                                                               0.0s
 => [internal] load .dockerignore                                                                                  0.0s
 => => transferring context: 2B                                                                                    0.0s
 => [internal] load metadata for docker.io/library/alpine:3.17.1                                                   2.2s
 => [1/2] FROM docker.io/library/alpine:3.17.1@sha256:f271e74b17ced29b915d351685fd4644785c6d1559dd1f2d4189a5e851e  2.5s
 => => resolve docker.io/library/alpine:3.17.1@sha256:f271e74b17ced29b915d351685fd4644785c6d1559dd1f2d4189a5e851e  0.0s
 => => sha256:f271e74b17ced29b915d351685fd4644785c6d1559dd1f2d4189a5e851ef753a 1.64kB / 1.64kB                     0.0s
 => => sha256:93d5a28ff72d288d69b5997b8ba47396d2cbb62a72b5d87cd3351094b5d578a0 528B / 528B                         0.0s
 => => sha256:042a816809aac8d0f7d7cacac7965782ee2ecac3f21bcf9f24b1de1a7387b769 1.47kB / 1.47kB                     0.0s
 => => sha256:8921db27df2831fa6eaa85321205a2470c669b855f3ec95d5a3c2b46de0442c9 3.37MB / 3.37MB                     1.4s
 => => extracting sha256:8921db27df2831fa6eaa85321205a2470c669b855f3ec95d5a3c2b46de0442c9                          0.3s
 => ERROR [2/2] RUN set -x && apk add -u bash                                                                      0.5s
------
 > [2/2] RUN set -x && apk add -u bash:
#0 0.491 + apk add -u bash
#0 0.498 ERROR: Unable to lock database: Permission denied
#0 0.499 ERROR: Failed to open apk database: Permission denied
------
ERROR: failed to solve: executor failed running [/bin/sh -c set -x && apk add -u bash]: exit code: 99

Docker Environment

Client:
 Context:    default
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc., v0.10.0)

Server:
 Containers: 0
  Running: 0
  Paused: 0
  Stopped: 0
 Images: 0
 Server Version: 20.10.20
 Storage Driver: overlay2
  Backing Filesystem: xfs
  Supports d_type: true
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: journald
 Cgroup Driver: systemd
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 io.containerd.runtime.v1.linux runc
 Default Runtime: runc
 Init Binary: /usr/libexec/docker/docker-init
 containerd version:
 runc version:
 init version:
 Security Options:
  seccomp
   Profile: default
  selinux
  cgroupns
 Kernel Version: 6.0.15-300.fc37.x86_64
 Operating System: Fedora CoreOS 37.20221225.3.0
 OSType: linux
 Architecture: x86_64
 CPUs: 2
 Total Memory: 3.825GiB
 Name: localhost.localdomain
 ID: YJBR:ZMIS:ETPJ:EQ4Z:KKQ4:ZRR7:BAGW:4Q3K:LNWE:RICX:HP5B:DAGI
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Registry: https://index.docker.io/v1/
 Labels:
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: true

Buildx version

github.com/docker/buildx v0.10.0 876462897612d36679153c3414f7689626251501

Notes

• Building the image with docker build doesn't fail
• Disabling SELinux in the OS fixes the problem

[iblancasa]

Same issue here. Using `builx v0.10.1

[crazy-max]

Might be related to moby/buildkit#3203. Can you try with latest Docker 23 stable?