podman-container-tools · giuseppe · May 28, 2026 · May 21, 2026 · May 21, 2026 · mtrmac
diff --git a/go.mod b/go.mod
@@ -26,7 +26,7 @@ require (
 	github.com/opencontainers/runc v1.4.2
 	github.com/opencontainers/runtime-spec v1.3.0
 	github.com/opencontainers/runtime-tools v0.9.1-0.20260316125833-8a4db579f5c8
-	github.com/opencontainers/selinux v1.14.1
+	github.com/opencontainers/selinux v1.15.0
 	github.com/openshift/imagebuilder v1.2.21
 	github.com/seccomp/libseccomp-golang v0.11.1
 	github.com/sirupsen/logrus v1.9.4

diff --git a/go.sum b/go.sum
@@ -197,8 +197,8 @@ github.com/opencontainers/runtime-spec v1.3.0 h1:YZupQUdctfhpZy3TM39nN9Ika5CBWT5
 github.com/opencontainers/runtime-spec v1.3.0/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
 github.com/opencontainers/runtime-tools v0.9.1-0.20260316125833-8a4db579f5c8 h1:2NAWFjN0PmdIe3XojVL9wf3lJ1//VqAgc7MOSYHQslE=
 github.com/opencontainers/runtime-tools v0.9.1-0.20260316125833-8a4db579f5c8/go.mod h1:DKDEfzxvRkoQ6n9TGhxQgg2IM1lY4aM0eaQP4e3oElw=
-github.com/opencontainers/selinux v1.14.1 h1:a7XlXV/nN/l5zFP1FWZYoExpClu1QOPMfWUV2CZ8kEQ=
-github.com/opencontainers/selinux v1.14.1/go.mod h1:LenyElirjUHszfxrjuFqC85HIeXZKumHcKMQtnaDlQQ=
+github.com/opencontainers/selinux v1.15.0 h1:4Gs40e/R2FvM8PC1HPaPncLLaDor8Y2WDfk5gjU9o5M=
+github.com/opencontainers/selinux v1.15.0/go.mod h1:LenyElirjUHszfxrjuFqC85HIeXZKumHcKMQtnaDlQQ=
 github.com/openshift/imagebuilder v1.2.21 h1:XX0tZVznWTxzYevvNVZ/0eeTzmgY6cfcT4/xjs5ToyU=
 github.com/openshift/imagebuilder v1.2.21/go.mod h1:+L09sXUQ0RPdCU1tmzKrfBhqMlYvZtaA3MHb7aTjVU8=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=

diff --git a/selinux.go b/selinux.go
@@ -1,30 +1,25 @@
-//go:build linux
-
 package buildah
 
 import (
 	"errors"
 	"fmt"
 	"os"
+	"runtime"
 
 	"github.com/opencontainers/runtime-tools/generate"
 	selinux "github.com/opencontainers/selinux/go-selinux"
 )
 
-func selinuxGetEnabled() bool {
-	return selinux.GetEnabled()
-}
-
 func setupSelinux(g *generate.Generator, processLabel, mountLabel string) {
-	if processLabel != "" && selinux.GetEnabled() {
+	if runtime.GOOS == "linux" && processLabel != "" && selinux.GetEnabled() {
 		g.SetProcessSelinuxLabel(processLabel)
 		g.SetLinuxMountLabel(mountLabel)
 	}
 }
 
 func runLabelStdioPipes(stdioPipe [][]int, processLabel, mountLabel string) error {
-	if !selinuxGetEnabled() || processLabel == "" || mountLabel == "" {
-		// SELinux is completely disabled, or we're not doing anything at all with labeling
+	if runtime.GOOS != "linux" || !selinux.GetEnabled() || processLabel == "" || mountLabel == "" {
+		// Not on Linux, or SELinux is disabled, or empty labels.
 		return nil
 	}
 	pipeContext, err := selinux.ComputeCreateContext(processLabel, mountLabel, "fifo_file")

diff --git a/selinux_unsupported.go b/selinux_unsupported.go
diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/label/label_linux.go b/vendor/github.com/opencontainers/selinux/go-selinux/label/label_linux.go
diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/selinux.go b/vendor/github.com/opencontainers/selinux/go-selinux/selinux.go
diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go
diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go
diff --git a/vendor/modules.txt b/vendor/modules.txt
@@ -322,7 +322,7 @@ github.com/opencontainers/runtime-spec/specs-go
 github.com/opencontainers/runtime-tools/generate
 github.com/opencontainers/runtime-tools/generate/seccomp
 github.com/opencontainers/runtime-tools/validate/capabilities
-# github.com/opencontainers/selinux v1.14.1
+# github.com/opencontainers/selinux v1.15.0
 ## explicit; go 1.22
 github.com/opencontainers/selinux/go-selinux
 github.com/opencontainers/selinux/go-selinux/label