Hi Alex, On 8/10/19 9:34 PM, Markus Armbruster wrote: > > There are a few SELinux gripes in my logs, like this one: > > type=AVC msg=audit(1565418107.93:125036): avc: denied { module_request } > for pid=19599 comm="configure" kmod="binfmt-464c" > scontext=system_u:system_r:container_t:s0:c611,c653 > tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=0
Few notes while chatting with Markus. Another interesting syslog entry: AVC avc: denied { mounton } for pid=24489 comm="mount" path="/proc/sys/fs/binfmt_misc" dev="proc" ino=3907274 scontext=system_u:system_r:container_t:s0:c497,c743 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=dir permissive=0 Distrib is Fedora 30 with SELinux: $ getenforce Enforcing $ make -k docker-test-build [...] BUILD binfmt debian-powerpc-user (debootstrapped) No binfmt_misc entry for qemu-ppc make: *** [tests/docker/Makefile.include:66: docker-binfmt-image-debian-powerpc-user] Error 1make -k docker-test-build make[1]: Entering directory 'bld' GEN bld/docker-src.2019-08-11-23.50.37.5117/qemu.tar COPY RUNNER RUN test-build in qemu:debian-powerpc-user-cross Unable to find image 'qemu:debian-powerpc-user-cross' locally Trying to pull repository docker.io/library/qemu ... Trying to pull repository quay.io/qemu ... Trying to pull repository docker.io/library/qemu ... /usr/bin/docker-current: repository docker.io/qemu not found: does not exist or no pull access. See '/usr/bin/docker-current run --help'. Traceback (most recent call last): File "tests/docker/docker.py", line 615, in <module> sys.exit(main()) File "tests/docker/docker.py", line 611, in main return args.cmdobj.run(args, argv) File "tests/docker/docker.py", line 338, in run return Docker().run(argv, args.keep, quiet=args.quiet) File "tests/docker/docker.py", line 300, in run quiet=quiet) File "tests/docker/docker.py", line 207, in _do_check return subprocess.check_call(self._command + cmd, **kwargs) File "/usr/lib64/python2.7/subprocess.py", line 190, in check_call raise CalledProcessError(retcode, cmd) subprocess.CalledProcessError: Command '['sudo', '-n', 'docker', 'run', '--label', 'com.qemu.instance.uuid=0e8b34a8bc8211e98734d8cb8ae0c842', '-u', '1000', '--security-opt', 'seccomp=unconfined', '--rm', '--net=none', '-e', 'TARGET_LIST=', '-e', 'EXTRA_CONFIGURE_OPTS=', '-e', 'V=', '-e', 'J=', '-e', 'DEBUG=', '-e', 'SHOW_ENV=', '-e', 'CCACHE_DIR=/var/tmp/ccache', '-v', '/home/armbru/.cache/qemu-docker-ccache:/var/tmp/ccache:z', '-v', 'bld/docker-src.2019-08-11-23.50.37.5117:/var/tmp/qemu:z,ro', 'qemu:debian-powerpc-user-cross', '/var/tmp/qemu/run', 'test-build']' returned non-zero exit status 125 make[1]: *** [tests/docker/Makefile.include:207: docker-run] Error 1 make[1]: Leaving directory 'bld' make: *** [tests/docker/Makefile.include:241: docker-run-test-build@debian-powerpc-user-cross] Error 2 Note the "No binfmt_misc entry for qemu-ppc" and syslog entry: 'AVC denied comm="mount" path="/proc/sys/fs/binfmt_misc" dev="proc"'. Does the selinux-policy require tuning?