qemu-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Qemu-devel] Running docker cross-tests with SELinux (was: Re: [PATCH v3

From: Philippe Mathieu-Daudé
Subject: [Qemu-devel] Running docker cross-tests with SELinux (was: Re: [PATCH v3 20/29] Include qemu/main-loop.h less)
Date: Thu, 15 Aug 2019 14:55:30 +0200
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.7.0 
Hi Alex,

On 8/10/19 9:34 PM, Markus Armbruster wrote:
> 
> There are a few SELinux gripes in my logs, like this one:
> 
> type=AVC msg=audit(1565418107.93:125036): avc:  denied  { module_request } 
> for  pid=19599 comm="configure" kmod="binfmt-464c" 
> scontext=system_u:system_r:container_t:s0:c611,c653 
> tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=0

Few notes while chatting with Markus.

Another interesting syslog entry:

AVC avc:  denied  { mounton } for  pid=24489 comm="mount"
path="/proc/sys/fs/binfmt_misc" dev="proc" ino=3907274
scontext=system_u:system_r:container_t:s0:c497,c743
tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=dir permissive=0

Distrib is Fedora 30 with SELinux:

$ getenforce
Enforcing

$ make -k docker-test-build
[...]
  BUILD   binfmt debian-powerpc-user (debootstrapped)
No binfmt_misc entry for qemu-ppc
make: *** [tests/docker/Makefile.include:66:
docker-binfmt-image-debian-powerpc-user] Error 1make -k docker-test-build
make[1]: Entering directory 'bld'
  GEN     bld/docker-src.2019-08-11-23.50.37.5117/qemu.tar
  COPY    RUNNER
    RUN test-build in qemu:debian-powerpc-user-cross
Unable to find image 'qemu:debian-powerpc-user-cross' locally
Trying to pull repository docker.io/library/qemu ...
Trying to pull repository quay.io/qemu ...
Trying to pull repository docker.io/library/qemu ...
/usr/bin/docker-current: repository docker.io/qemu not found: does not
exist or no pull access.
See '/usr/bin/docker-current run --help'.
Traceback (most recent call last):
  File "tests/docker/docker.py", line 615, in <module>
    sys.exit(main())
  File "tests/docker/docker.py", line 611, in main
    return args.cmdobj.run(args, argv)
  File "tests/docker/docker.py", line 338, in run
    return Docker().run(argv, args.keep, quiet=args.quiet)
  File "tests/docker/docker.py", line 300, in run
    quiet=quiet)
  File "tests/docker/docker.py", line 207, in _do_check
    return subprocess.check_call(self._command + cmd, **kwargs)
  File "/usr/lib64/python2.7/subprocess.py", line 190, in check_call
    raise CalledProcessError(retcode, cmd)
subprocess.CalledProcessError: Command '['sudo', '-n', 'docker', 'run',
'--label', 'com.qemu.instance.uuid=0e8b34a8bc8211e98734d8cb8ae0c842',
'-u', '1000', '--security-opt', 'seccomp=unconfined', '--rm',
'--net=none', '-e', 'TARGET_LIST=', '-e', 'EXTRA_CONFIGURE_OPTS=', '-e',
'V=', '-e', 'J=', '-e', 'DEBUG=', '-e', 'SHOW_ENV=', '-e',
'CCACHE_DIR=/var/tmp/ccache', '-v',
'/home/armbru/.cache/qemu-docker-ccache:/var/tmp/ccache:z', '-v',
'bld/docker-src.2019-08-11-23.50.37.5117:/var/tmp/qemu:z,ro',
'qemu:debian-powerpc-user-cross', '/var/tmp/qemu/run', 'test-build']'
returned non-zero exit status 125
make[1]: *** [tests/docker/Makefile.include:207: docker-run] Error 1
make[1]: Leaving directory 'bld'
make: *** [tests/docker/Makefile.include:241:
docker-run-test-build@debian-powerpc-user-cross] Error 2

Note the "No binfmt_misc entry for qemu-ppc" and syslog entry:

'AVC denied comm="mount" path="/proc/sys/fs/binfmt_misc" dev="proc"'.

Does the selinux-policy require tuning?
reply via email to
[Prev in Thread] Current Thread [Next in Thread]