On 10/05/2017 01:18 PM, Jeremy Eder wrote:
setenforce 0 works...security-opt label:disable does not.
On Thu, Oct 5, 2017 at 1:06 PM, Daniel Walsh <dwa...@redhat.com
<mailto:dwa...@redhat.com>> wrote:
On 10/05/2017 01:00 PM, Frank Ch. Eigler wrote:
wcohen forwarded:
[...]
[root@dhcp23-91 ~]# atomic run --spc
candidate-registry.fedoraproject.org/f26/systemtap
<http://candidate-registry.fedoraproject.org/f26/systemtap>
<http://candidate-registry.fedoraproject.org/f26/systemtap
<http://candidate-registry.fedoraproject.org/f26/systemtap>>
docker run --cap-add SYS_MODULE -v
/sys/kernel/debug:/sys/kernel/debug -v
/usr/src/kernels:/usr/src/kernels -v
/usr/lib/modules/:/usr/lib/modules/ -v
/usr/lib/debug:/usr/lib/debug -t -i --name
systemtap-spc
candidate-registry.fedoraproject.org/f26/systemtap
<http://candidate-registry.fedoraproject.org/f26/systemtap>
<http://candidate-registry.fedoraproject.org/f26/systemtap
<http://candidate-registry.fedoraproject.org/f26/systemtap>>
[...]
ERROR: Couldn't insert module
'/tmp/stapNEjJDX/stap_4f013e7562b546a0316af840de9f0713_8509.ko':
Operation not permitted
[...]
I bet
# setenforce 0
makes it work for you. As per audit.log:
type=AVC msg=audit(1507222590.683:7940): avc: denied {
module_load }
for pid=7595 comm="staprun"
scontext=system_u:system_r:container_t:s0:c534,c921
tcontext=system_u:system_r:container_t:s0:c534,c921
tclass=system permissive=1
- FChE
_______________________________________________
devel mailing list -- de...@lists.fedoraproject.org
<mailto:de...@lists.fedoraproject.org>
To unsubscribe send an email to
devel-le...@lists.fedoraproject.org
<mailto:devel-le...@lists.fedoraproject.org>
Rather then putting the system into permissive mode, you should
run a privileged container or at least disable SELinux protections.
docker run -ti --security-opt label:disable ...
--
-- Jeremy Eder
Could you show me the AVC you get when you do the label:disable?