On 10/05/2017 01:38 PM, Jeremy Eder wrote:
I don't see any avc when it fails while label:disable is set.
I ran semodule -DB and retried. I now see dontaudit stuff but still
no interesting denials.
I'm not sure if you were talking to me or Frank with the atomic
command line...
I pulled the label out docker inspect on the systemtap image so I can
run it manually. Here is what I am running.
All I have added is the --security-opt label:disable part.
# docker run --security-opt label:disable --cap-add SYS_ADMIN -v
/sys/kernel/debug:/sys/kernel/debug -v
/usr/src/kernels:/usr/src/kernels -v
/usr/lib/modules/:/usr/lib/modules/ -v /usr/lib/debug:/usr/lib/debug
-t -i --name systemtap
candidate-registry.fedoraproject.org/f26/systemtap
<http://candidate-registry.fedoraproject.org/f26/systemtap>
Should be SYS_MODULE not SYS_ADMIN or maybe both.
I also tried with --security-opt seccomp:unconfimed. That did not help.
Adding --privileged to the above command line, and systemtap works.
This is likely the key difference between why systemtap has always
worked in the rhel-tools container...the label on that image includes
--privileged.
On Thu, Oct 5, 2017 at 1:25 PM, Daniel Walsh <dwa...@redhat.com
<mailto:dwa...@redhat.com>> wrote:
On 10/05/2017 01:18 PM, Jeremy Eder wrote:
setenforce 0 works...security-opt label:disable does not.
On Thu, Oct 5, 2017 at 1:06 PM, Daniel Walsh <dwa...@redhat.com
<mailto:dwa...@redhat.com>> wrote:
On 10/05/2017 01:00 PM, Frank Ch. Eigler wrote:
wcohen forwarded:
[...]
[root@dhcp23-91 ~]# atomic run --spc
candidate-registry.fedoraproject.org/f26/systemtap
<http://candidate-registry.fedoraproject.org/f26/systemtap>
<http://candidate-registry.fedoraproject.org/f26/systemtap
<http://candidate-registry.fedoraproject.org/f26/systemtap>>
docker run --cap-add SYS_MODULE -v
/sys/kernel/debug:/sys/kernel/debug -v
/usr/src/kernels:/usr/src/kernels -v
/usr/lib/modules/:/usr/lib/modules/ -v
/usr/lib/debug:/usr/lib/debug -t -i --name
systemtap-spc
candidate-registry.fedoraproject.org/f26/systemtap
<http://candidate-registry.fedoraproject.org/f26/systemtap>
<http://candidate-registry.fedoraproject.org/f26/systemtap
<http://candidate-registry.fedoraproject.org/f26/systemtap>>
[...]
ERROR: Couldn't insert module
'/tmp/stapNEjJDX/stap_4f013e7562b546a0316af840de9f0713_8509.ko':
Operation not permitted
[...]
I bet
# setenforce 0
makes it work for you. As per audit.log:
type=AVC msg=audit(1507222590.683:7940): avc: denied {
module_load }
for pid=7595 comm="staprun"
scontext=system_u:system_r:container_t:s0:c534,c921
tcontext=system_u:system_r:container_t:s0:c534,c921
tclass=system permissive=1
- FChE
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
<mailto:devel@lists.fedoraproject.org>
To unsubscribe send an email to
devel-le...@lists.fedoraproject.org
<mailto:devel-le...@lists.fedoraproject.org>
Rather then putting the system into permissive mode, you
should run a privileged container or at least disable SELinux
protections.
docker run -ti --security-opt label:disable ...
--
-- Jeremy Eder
Could you show me the AVC you get when you do the label:disable?
--
-- Jeremy Eder
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org