From: "Philippe Mathieu-Daudé" <philmd@redhat.com>
To: "Markus Armbruster" <armbru@redhat.com>,
"Alex Bennée" <alex.bennee@linaro.org>
Cc: qemu-devel@nongnu.org
Subject: [Qemu-devel] Running docker cross-tests with SELinux (was: Re: [PATCH v3 20/29] Include qemu/main-loop.h less)
Date: Thu, 15 Aug 2019 14:55:30 +0200 [thread overview]
Message-ID: <de9a9584-006c-f110-7601-c9ce712dc91f@redhat.com> (raw)
In-Reply-To: <87r25ske6e.fsf@dusky.pond.sub.org>
Hi Alex,
On 8/10/19 9:34 PM, Markus Armbruster wrote:
>
> There are a few SELinux gripes in my logs, like this one:
>
> type=AVC msg=audit(1565418107.93:125036): avc: denied { module_request } for pid=19599 comm="configure" kmod="binfmt-464c" scontext=system_u:system_r:container_t:s0:c611,c653 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=0
Few notes while chatting with Markus.
Another interesting syslog entry:
AVC avc: denied { mounton } for pid=24489 comm="mount"
path="/proc/sys/fs/binfmt_misc" dev="proc" ino=3907274
scontext=system_u:system_r:container_t:s0:c497,c743
tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=dir permissive=0
Distrib is Fedora 30 with SELinux:
$ getenforce
Enforcing
$ make -k docker-test-build
[...]
BUILD binfmt debian-powerpc-user (debootstrapped)
No binfmt_misc entry for qemu-ppc
make: *** [tests/docker/Makefile.include:66:
docker-binfmt-image-debian-powerpc-user] Error 1make -k docker-test-build
make[1]: Entering directory 'bld'
GEN bld/docker-src.2019-08-11-23.50.37.5117/qemu.tar
COPY RUNNER
RUN test-build in qemu:debian-powerpc-user-cross
Unable to find image 'qemu:debian-powerpc-user-cross' locally
Trying to pull repository docker.io/library/qemu ...
Trying to pull repository quay.io/qemu ...
Trying to pull repository docker.io/library/qemu ...
/usr/bin/docker-current: repository docker.io/qemu not found: does not
exist or no pull access.
See '/usr/bin/docker-current run --help'.
Traceback (most recent call last):
File "tests/docker/docker.py", line 615, in <module>
sys.exit(main())
File "tests/docker/docker.py", line 611, in main
return args.cmdobj.run(args, argv)
File "tests/docker/docker.py", line 338, in run
return Docker().run(argv, args.keep, quiet=args.quiet)
File "tests/docker/docker.py", line 300, in run
quiet=quiet)
File "tests/docker/docker.py", line 207, in _do_check
return subprocess.check_call(self._command + cmd, **kwargs)
File "/usr/lib64/python2.7/subprocess.py", line 190, in check_call
raise CalledProcessError(retcode, cmd)
subprocess.CalledProcessError: Command '['sudo', '-n', 'docker', 'run',
'--label', 'com.qemu.instance.uuid=0e8b34a8bc8211e98734d8cb8ae0c842',
'-u', '1000', '--security-opt', 'seccomp=unconfined', '--rm',
'--net=none', '-e', 'TARGET_LIST=', '-e', 'EXTRA_CONFIGURE_OPTS=', '-e',
'V=', '-e', 'J=', '-e', 'DEBUG=', '-e', 'SHOW_ENV=', '-e',
'CCACHE_DIR=/var/tmp/ccache', '-v',
'/home/armbru/.cache/qemu-docker-ccache:/var/tmp/ccache:z', '-v',
'bld/docker-src.2019-08-11-23.50.37.5117:/var/tmp/qemu:z,ro',
'qemu:debian-powerpc-user-cross', '/var/tmp/qemu/run', 'test-build']'
returned non-zero exit status 125
make[1]: *** [tests/docker/Makefile.include:207: docker-run] Error 1
make[1]: Leaving directory 'bld'
make: *** [tests/docker/Makefile.include:241:
docker-run-test-build@debian-powerpc-user-cross] Error 2
Note the "No binfmt_misc entry for qemu-ppc" and syslog entry:
'AVC denied comm="mount" path="/proc/sys/fs/binfmt_misc" dev="proc"'.
Does the selinux-policy require tuning?
next prev parent reply other threads:[~2019-08-15 12:56 UTC|newest]
Thread overview: 49+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-08-09 6:46 [Qemu-devel] [PATCH v3 00/29] Tame a few "touch this, recompile the world" headers Markus Armbruster
2019-08-09 6:46 ` [Qemu-devel] [PATCH v3 01/29] include: Make headers more self-contained Markus Armbruster
2019-08-09 6:46 ` [Qemu-devel] [PATCH v3 02/29] Include generated QAPI headers less Markus Armbruster
2019-08-09 6:46 ` [Qemu-devel] [PATCH v3 03/29] qapi: Split error.json off common.json Markus Armbruster
2019-08-09 6:46 ` [Qemu-devel] [PATCH v3 04/29] memory: Fix type of IOMMUMemoryRegionClass member @parent_class Markus Armbruster
2019-08-09 6:46 ` [Qemu-devel] [PATCH v3 05/29] queue: Drop superfluous #include qemu/atomic.h Markus Armbruster
2019-08-09 6:46 ` [Qemu-devel] [PATCH v3 06/29] trace: Eliminate use of TARGET_FMT_plx Markus Armbruster
2019-08-09 6:46 ` [Qemu-devel] [PATCH v3 07/29] trace: Do not include qom/cpu.h into generated trace.h Markus Armbruster
2019-08-09 6:46 ` [Qemu-devel] [PATCH v3 08/29] Include sysemu/reset.h a lot less Markus Armbruster
2019-08-09 6:46 ` [Qemu-devel] [PATCH v3 09/29] Include migration/qemu-file-types.h " Markus Armbruster
2019-08-09 9:58 ` Philippe Mathieu-Daudé
2019-08-09 11:48 ` Markus Armbruster
2019-08-09 6:46 ` [Qemu-devel] [PATCH v3 10/29] ide: Include hw/ide/internal a bit less outside hw/ide/ Markus Armbruster
2019-08-09 6:46 ` [Qemu-devel] [PATCH v3 11/29] typedefs: Separate incomplete types and function types Markus Armbruster
2019-08-09 6:46 ` [Qemu-devel] [PATCH v3 12/29] Include hw/irq.h a lot less Markus Armbruster
2019-08-09 6:46 ` [Qemu-devel] [PATCH v3 13/29] Clean up inclusion of exec/cpu-common.h Markus Armbruster
2019-08-09 6:46 ` [Qemu-devel] [PATCH v3 14/29] migration: Move the VMStateDescription typedef to typedefs.h Markus Armbruster
2019-08-09 6:46 ` [Qemu-devel] [PATCH v3 15/29] Include migration/vmstate.h less Markus Armbruster
2019-08-09 6:46 ` [Qemu-devel] [PATCH v3 16/29] Include exec/memory.h slightly less Markus Armbruster
2019-08-09 10:03 ` Philippe Mathieu-Daudé
2019-08-09 6:46 ` [Qemu-devel] [PATCH v3 17/29] Include qom/object.h " Markus Armbruster
2019-08-09 6:46 ` [Qemu-devel] [PATCH v3 18/29] Include hw/hw.h exactly where needed Markus Armbruster
2019-08-09 6:46 ` [Qemu-devel] [PATCH v3 19/29] Include qemu/queue.h slightly less Markus Armbruster
2019-08-09 10:05 ` Philippe Mathieu-Daudé
2019-08-09 6:46 ` [Qemu-devel] [PATCH v3 20/29] Include qemu/main-loop.h less Markus Armbruster
2019-08-09 9:42 ` Philippe Mathieu-Daudé
2019-08-09 10:10 ` Philippe Mathieu-Daudé
2019-08-09 10:29 ` Philippe Mathieu-Daudé
2019-08-09 10:36 ` Philippe Mathieu-Daudé
2019-08-09 11:55 ` Markus Armbruster
2019-08-09 12:29 ` Philippe Mathieu-Daudé
2019-08-09 16:00 ` Alex Bennée
2019-08-10 19:34 ` Markus Armbruster
2019-08-12 12:49 ` Philippe Mathieu-Daudé
2019-08-15 12:55 ` Philippe Mathieu-Daudé [this message]
2019-08-09 6:46 ` [Qemu-devel] [PATCH v3 21/29] Include hw/qdev-properties.h less Markus Armbruster
2019-08-09 6:46 ` [Qemu-devel] [PATCH v3 22/29] Include hw/boards.h a bit less Markus Armbruster
2019-08-09 6:46 ` [Qemu-devel] [PATCH v3 23/29] numa: Don't include hw/boards.h into sysemu/numa.h Markus Armbruster
2019-08-09 6:46 ` [Qemu-devel] [PATCH v3 24/29] Include sysemu/hostmem.h less Markus Armbruster
2019-08-09 10:39 ` Philippe Mathieu-Daudé
2019-08-09 6:46 ` [Qemu-devel] [PATCH v3 25/29] numa: Move remaining NUMA declarations from sysemu.h to numa.h Markus Armbruster
2019-08-09 10:53 ` Philippe Mathieu-Daudé
2019-08-09 6:46 ` [Qemu-devel] [PATCH v3 26/29] Clean up inclusion of sysemu/sysemu.h Markus Armbruster
2019-08-09 6:46 ` [Qemu-devel] [PATCH v3 27/29] Include sysemu/sysemu.h a lot less Markus Armbruster
2019-08-09 6:46 ` [Qemu-devel] [PATCH v3 28/29] sysemu: Move the VMChangeStateEntry typedef to qemu/typedefs.h Markus Armbruster
2019-08-09 6:46 ` [Qemu-devel] [PATCH v3 29/29] sysemu: Split sysemu/runstate.h off sysemu/sysemu.h Markus Armbruster
2019-08-09 10:40 ` [Qemu-devel] [PATCH v3 00/29] Tame a few "touch this, recompile the world" headers no-reply
2019-08-09 16:12 ` Philippe Mathieu-Daudé
2019-08-10 17:01 ` Markus Armbruster
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=de9a9584-006c-f110-7601-c9ce712dc91f@redhat.com \
--to=philmd@redhat.com \
--cc=alex.bennee@linaro.org \
--cc=armbru@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).