Re: [atomic-devel] tools and systemtap containers are available in Fedora

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 10/05/2017 01:38 PM, Jeremy Eder wrote:
I don't see any avc when it fails while label:disable is set.
I ran semodule -DB and retried.  I now see dontaudit stuff but still no interesting denials.

I'm not sure if you were talking to me or Frank with the atomic command line...

I pulled the label out docker inspect on the systemtap image so I can run it manually.  Here is what I am running.
All I have added is the --security-opt label:disable part.

# docker run --security-opt label:disable --cap-add SYS_ADMIN -v /sys/kernel/debug:/sys/kernel/debug -v /usr/src/kernels:/usr/src/kernels -v /usr/lib/modules/:/usr/lib/modules/ -v /usr/lib/debug:/usr/lib/debug -t -i --name systemtap candidate-registry.fedoraproject.org/f26/systemtap

Should be SYS_MODULE not SYS_ADMIN or maybe both.
I also tried with --security-opt seccomp:unconfimed.  That did not help.

Adding --privileged to the above command line, and systemtap works.

This is likely the key difference between why systemtap has always worked in the rhel-tools container...the label on that image includes --privileged.



On Thu, Oct 5, 2017 at 1:25 PM, Daniel Walsh <dwalsh@xxxxxxxxxx> wrote:
On 10/05/2017 01:18 PM, Jeremy Eder wrote:
setenforce 0 works...security-opt label:disable does not.

On Thu, Oct 5, 2017 at 1:06 PM, Daniel Walsh <dwalsh@xxxxxxxxxx> wrote:
On 10/05/2017 01:00 PM, Frank Ch. Eigler wrote:
wcohen forwarded:

[...]
   [root@dhcp23-91 ~]# atomic run --spc candidate-registry.fedoraproject.org/f26/systemtap <http://candidate-registry.fedoraproject.org/f26/systemtap>
     docker run --cap-add SYS_MODULE -v /sys/kernel/debug:/sys/kernel/debug -v /usr/src/kernels:/usr/src/kernels -v /usr/lib/modules/:/usr/lib/modules/ -v /usr/lib/debug:/usr/lib/debug -t -i --name systemtap-spc candidate-registry.fedoraproject.org/f26/systemtap <http://candidate-registry.fedoraproject.org/f26/systemtap>
  [...]
     ERROR: Couldn't insert module '/tmp/stapNEjJDX/stap_4f013e7562b546a0316af840de9f0713_8509.ko': Operation not permitted
[...]
I bet
    # setenforce 0
makes it work for you.  As per audit.log:

type=AVC msg=audit(1507222590.683:7940): avc:  denied  { module_load }
for  pid=7595 comm="staprun" scontext=system_u:system_r:container_t:s0:c534,c921
tcontext=system_u:system_r:container_t:s0:c534,c921 tclass=system permissive=1


- FChE
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@lists.fedoraproject.org

Rather then putting the system into permissive mode, you should run a privileged container or at least disable SELinux protections.


docker run -ti --security-opt label:disable ...





--

-- Jeremy Eder

Could you show me the AVC you get when you do the label:disable?





--

-- Jeremy Eder


_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux