Description of problem: (I copy-paste here a message I send to selinux.org on Fri, 19 Jan 2018 17:19:16 +0100.) In an automated test process, I have a docker container based on Fedora Rawhide, with Docker running on F27. That container runs a compilation process involving Qt 5.10 (from rawhide). That compilation fails, and I have the following AVC: type=AVC msg=audit(1516334348.971:1059): avc: denied { map } for pid=4046 comm="moc" path="pipe:[3343646]" dev="pipefs" ino=3343646 scontext=system_u:system_r:container_t:s0:c273,c916 tcontext=system_u:system_r:container_runtime_t:s0 tclass=fifo_file permissive=0 When Rawhide had Qt 5.9.3, it was working (no AVC, and successul compilation test). What do you suggest? The tool audit2allow says that I would need that module: module qt5.10 1.0; require { type container_runtime_t; type container_t; class fifo_file map; } #============= container_t ============== allow container_t container_runtime_t:fifo_file map; Is that permission dangerous? Why is it not in the policy? Actually, I have no idea what mean mapping a fifo file. From why I know it makes no sense. SELinux is preventing moc from 'map' accesses on the fifo_file fifo_file. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that moc should be allowed map access on the fifo_file fifo_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'moc' --raw | audit2allow -M my-moc # semodule -X 300 -i my-moc.pp Additional Information: Source Context system_u:system_r:container_t:s0:c730,c988 Target Context system_u:system_r:container_runtime_t:s0 Target Objects fifo_file [ fifo_file ] Source moc Source Path moc Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM <Unknown> Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.14.13-300.fc27.x86_64 #1 SMP Thu Jan 11 04:00:01 UTC 2018 x86_64 x86_64 Alert Count 8 First Seen 2018-01-24 21:11:24 CET Last Seen 2018-01-24 21:11:36 CET Local ID e242d0bf-a031-416b-b190-5c2dfb7c163b Raw Audit Messages type=AVC msg=audit(1516824696.449:1146): avc: denied { map } for pid=43900 comm="moc" path="pipe:[4612204]" dev="pipefs" ino=4612204 scontext=system_u:system_r:container_t:s0:c730,c988 tcontext=system_u:system_r:container_runtime_t:s0 tclass=fifo_file permissive=0 Hash: moc,container_t,container_runtime_t,fifo_file,map Additional info: component: selinux-policy reporter: libreport-2.9.3 hashmarkername: setroubleshoot kernel: 4.14.14-300.fc27.x86_64 type: libreport
The map permission is a new permission recognized by kernel and policy. We are still in a process of identification of which domains need that permission when accessing various objects on the file-system. More info can be found at: * https://patchwork.kernel.org/patch/9713531/ Could you tell us, which policy version is installed on your machine?
# rpm -qa selinux-policy\* container\* | sort
Thanks Milos for the link. Here is the list of packages on the machine: container-selinux-2.42-1.fc27.noarch container-storage-setup-0.8.0-2.git1d27ecf.fc27.noarch selinux-policy-3.13.1-283.21.fc27.noarch selinux-policy-devel-3.13.1-283.21.fc27.noarch selinux-policy-doc-3.13.1-283.21.fc27.noarch selinux-policy-sandbox-3.13.1-283.21.fc27.noarch selinux-policy-targeted-3.13.1-283.21.fc27.noarch
container-selinux-2.48-1.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-c6b68a1cb0
container-selinux-2.48-1.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-c6b68a1cb0
container-selinux-2.48-1.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.