I don't see any avc when it fails while label:disable is set. I ran semodule -DB and retried. I now see dontaudit stuff but still no interesting denials.
I'm not sure if you were talking to me or Frank with the atomic command line... I pulled the label out docker inspect on the systemtap image so I can run it manually. Here is what I am running. All I have added is the --security-opt label:disable part. # docker run --security-opt label:disable --cap-add SYS_ADMIN -v /sys/kernel/debug:/sys/kernel/debug -v /usr/src/kernels:/usr/src/kernels -v /usr/lib/modules/:/usr/lib/modules/ -v /usr/lib/debug:/usr/lib/debug -t -i --name systemtap candidate-registry.fedoraproject.org/f26/systemtap I also tried with --security-opt seccomp:unconfimed. That did not help. Adding --privileged to the above command line, and systemtap works. This is likely the key difference between why systemtap has always worked in the rhel-tools container...the label on that image includes --privileged. On Thu, Oct 5, 2017 at 1:25 PM, Daniel Walsh <dwa...@redhat.com> wrote: > On 10/05/2017 01:18 PM, Jeremy Eder wrote: > > setenforce 0 works...security-opt label:disable does not. > > On Thu, Oct 5, 2017 at 1:06 PM, Daniel Walsh <dwa...@redhat.com> wrote: > >> On 10/05/2017 01:00 PM, Frank Ch. Eigler wrote: >> >>> wcohen forwarded: >>> >>> [...] >>>> >>>>> [root@dhcp23-91 ~]# atomic run --spc candidate-registry.fedoraproje >>>>> ct.org/f26/systemtap <http://candidate-registry.fed >>>>> oraproject.org/f26/systemtap> >>>>> docker run --cap-add SYS_MODULE -v >>>>> /sys/kernel/debug:/sys/kernel/debug >>>>> -v /usr/src/kernels:/usr/src/kernels -v >>>>> /usr/lib/modules/:/usr/lib/modules/ >>>>> -v /usr/lib/debug:/usr/lib/debug -t -i --name systemtap-spc >>>>> candidate-registry.fedoraproject.org/f26/systemtap < >>>>> http://candidate-registry.fedoraproject.org/f26/systemtap> >>>>> [...] >>>>> ERROR: Couldn't insert module '/tmp/stapNEjJDX/stap_4f013e75 >>>>> 62b546a0316af840de9f0713_8509.ko': Operation not permitted >>>>> [...] >>>>> >>>> I bet >>> # setenforce 0 >>> makes it work for you. As per audit.log: >>> >>> type=AVC msg=audit(1507222590.683:7940): avc: denied { module_load } >>> for pid=7595 comm="staprun" scontext=system_u:system_r:con >>> tainer_t:s0:c534,c921 >>> tcontext=system_u:system_r:container_t:s0:c534,c921 tclass=system >>> permissive=1 >>> >>> >>> - FChE >>> _______________________________________________ >>> devel mailing list -- de...@lists.fedoraproject.org >>> To unsubscribe send an email to devel-le...@lists.fedoraproject.org >>> >> >> Rather then putting the system into permissive mode, you should run a >> privileged container or at least disable SELinux protections. >> >> >> docker run -ti --security-opt label:disable ... >> >> >> > > > -- > > -- Jeremy Eder > > Could you show me the AVC you get when you do the label:disable? > > > -- -- Jeremy Eder