I don't see any avc when it fails while label:disable is set.
I ran semodule -DB and retried.  I now see dontaudit stuff but still no
interesting denials.

I'm not sure if you were talking to me or Frank with the atomic command
line...

I pulled the label out docker inspect on the systemtap image so I can run
it manually.  Here is what I am running.
All I have added is the --security-opt label:disable part.

# docker run --security-opt label:disable --cap-add SYS_ADMIN -v
/sys/kernel/debug:/sys/kernel/debug -v /usr/src/kernels:/usr/src/kernels -v
/usr/lib/modules/:/usr/lib/modules/ -v /usr/lib/debug:/usr/lib/debug -t -i
--name systemtap candidate-registry.fedoraproject.org/f26/systemtap

I also tried with --security-opt seccomp:unconfimed.  That did not help.

Adding --privileged to the above command line, and systemtap works.

This is likely the key difference between why systemtap has always worked
in the rhel-tools container...the label on that image includes --privileged.



On Thu, Oct 5, 2017 at 1:25 PM, Daniel Walsh <dwa...@redhat.com> wrote:

> On 10/05/2017 01:18 PM, Jeremy Eder wrote:
>
> setenforce 0 works...security-opt label:disable does not.
>
> On Thu, Oct 5, 2017 at 1:06 PM, Daniel Walsh <dwa...@redhat.com> wrote:
>
>> On 10/05/2017 01:00 PM, Frank Ch. Eigler wrote:
>>
>>> wcohen forwarded:
>>>
>>> [...]
>>>>
>>>>>    [root@dhcp23-91 ~]# atomic run --spc candidate-registry.fedoraproje
>>>>> ct.org/f26/systemtap <http://candidate-registry.fed
>>>>> oraproject.org/f26/systemtap>
>>>>>      docker run --cap-add SYS_MODULE -v 
>>>>> /sys/kernel/debug:/sys/kernel/debug
>>>>> -v /usr/src/kernels:/usr/src/kernels -v 
>>>>> /usr/lib/modules/:/usr/lib/modules/
>>>>> -v /usr/lib/debug:/usr/lib/debug -t -i --name systemtap-spc
>>>>> candidate-registry.fedoraproject.org/f26/systemtap <
>>>>> http://candidate-registry.fedoraproject.org/f26/systemtap>
>>>>>   [...]
>>>>>      ERROR: Couldn't insert module '/tmp/stapNEjJDX/stap_4f013e75
>>>>> 62b546a0316af840de9f0713_8509.ko': Operation not permitted
>>>>> [...]
>>>>>
>>>> I bet
>>>     # setenforce 0
>>> makes it work for you.  As per audit.log:
>>>
>>> type=AVC msg=audit(1507222590.683:7940): avc:  denied  { module_load }
>>> for  pid=7595 comm="staprun" scontext=system_u:system_r:con
>>> tainer_t:s0:c534,c921
>>> tcontext=system_u:system_r:container_t:s0:c534,c921 tclass=system
>>> permissive=1
>>>
>>>
>>> - FChE
>>> _______________________________________________
>>> devel mailing list -- de...@lists.fedoraproject.org
>>> To unsubscribe send an email to devel-le...@lists.fedoraproject.org
>>>
>>
>> Rather then putting the system into permissive mode, you should run a
>> privileged container or at least disable SELinux protections.
>>
>>
>> docker run -ti --security-opt label:disable ...
>>
>>
>>
>
>
> --
>
> -- Jeremy Eder
>
> Could you show me the AVC you get when you do the label:disable?
>
>
>


-- 

-- Jeremy Eder

Reply via email to