setenforce 0 works...security-opt label:disable does not. On Thu, Oct 5, 2017 at 1:06 PM, Daniel Walsh <dwa...@redhat.com> wrote:
> On 10/05/2017 01:00 PM, Frank Ch. Eigler wrote: > >> wcohen forwarded: >> >> [...] >>> >>>> [root@dhcp23-91 ~]# atomic run --spc candidate-registry.fedoraproje >>>> ct.org/f26/systemtap <http://candidate-registry.fed >>>> oraproject.org/f26/systemtap> >>>> docker run --cap-add SYS_MODULE -v /sys/kernel/debug:/sys/kernel/debug >>>> -v /usr/src/kernels:/usr/src/kernels -v /usr/lib/modules/:/usr/lib/modules/ >>>> -v /usr/lib/debug:/usr/lib/debug -t -i --name systemtap-spc >>>> candidate-registry.fedoraproject.org/f26/systemtap < >>>> http://candidate-registry.fedoraproject.org/f26/systemtap> >>>> [...] >>>> ERROR: Couldn't insert module '/tmp/stapNEjJDX/stap_4f013e75 >>>> 62b546a0316af840de9f0713_8509.ko': Operation not permitted >>>> [...] >>>> >>> I bet >> # setenforce 0 >> makes it work for you. As per audit.log: >> >> type=AVC msg=audit(1507222590.683:7940): avc: denied { module_load } >> for pid=7595 comm="staprun" scontext=system_u:system_r:con >> tainer_t:s0:c534,c921 >> tcontext=system_u:system_r:container_t:s0:c534,c921 tclass=system >> permissive=1 >> >> >> - FChE >> _______________________________________________ >> devel mailing list -- de...@lists.fedoraproject.org >> To unsubscribe send an email to devel-le...@lists.fedoraproject.org >> > > Rather then putting the system into permissive mode, you should run a > privileged container or at least disable SELinux protections. > > > docker run -ti --security-opt label:disable ... > > > -- -- Jeremy Eder
