From cb36be320fbac2ddc6ffe418046851d15efe455a Mon Sep 17 00:00:00 2001
From: Russell Bryant <rbryant@redhat.com>
Date: Sun, 29 Sep 2024 23:19:44 -0400
Subject: [PATCH] Fix podman+selinux compatibility (#132)

When I ran `llama stack configure` for my `docker` based stack on my
system using podman + SELinux (CentOS Stream 9), The `podman run`
command failed due to SELinux blocking access to the volume mount.

As a simple fix, disable SELinux label checking.

Signed-off-by: Russell Bryant <rbryant@redhat.com>
---
 llama_stack/distribution/build_container.sh     | 3 +++
 llama_stack/distribution/configure_container.sh | 3 +++
 llama_stack/distribution/start_container.sh     | 3 +++
 3 files changed, 9 insertions(+)

diff --git a/llama_stack/distribution/build_container.sh b/llama_stack/distribution/build_container.sh
index fec1e394f..970da804e 100755
--- a/llama_stack/distribution/build_container.sh
+++ b/llama_stack/distribution/build_container.sh
@@ -117,6 +117,9 @@ if [ -n "$LLAMA_MODELS_DIR" ]; then
   mounts="$mounts -v $(readlink -f $LLAMA_MODELS_DIR):$models_mount"
 fi
 
+# Disable SELinux labels -- we don't want to relabel the llama-stack source dir
+DOCKER_OPTS="$DOCKER_OPTS --security-opt label=disable"
+
 set -x
 $DOCKER_BINARY build $DOCKER_OPTS -t $image_name -f "$TEMP_DIR/Dockerfile" "$REPO_DIR" $mounts
 set +x
diff --git a/llama_stack/distribution/configure_container.sh b/llama_stack/distribution/configure_container.sh
index 56e45db7e..c7ff74793 100755
--- a/llama_stack/distribution/configure_container.sh
+++ b/llama_stack/distribution/configure_container.sh
@@ -27,6 +27,9 @@ docker_image="$1"
 host_build_dir="$2"
 container_build_dir="/app/builds"
 
+# Disable SELinux labels
+DOCKER_OPTS="$DOCKER_OPTS --security-opt label=disable"
+
 set -x
 $DOCKER_BINARY run $DOCKER_OPTS -it \
   -v $host_build_dir:$container_build_dir \
diff --git a/llama_stack/distribution/start_container.sh b/llama_stack/distribution/start_container.sh
index ee581cac4..4618eb9c3 100755
--- a/llama_stack/distribution/start_container.sh
+++ b/llama_stack/distribution/start_container.sh
@@ -39,6 +39,9 @@ shift
 
 set -x
 
+# Disable SELinux labels
+DOCKER_OPTS="$DOCKER_OPTS --security-opt label=disable"
+
 if [ -n "$LLAMA_CHECKPOINT_DIR" ]; then
   $DOCKER_BINARY run $DOCKER_OPTS -it \
     -p $port:$port \