In an automated test process, I have a docker container based on Fedora Rawhide, with Docker running on F27. That container runs a compilation process involving Qt 5.10 (from rawhide).
That compilation fails, and I have the following AVC:
type=AVC msg=audit(1516334348.971:1059): avc: denied { map } for pid=4046 comm="moc" path="pipe:[3343646]" dev="pipefs" ino=3343646 scontext=system_u:system_r:container_t:s0:c273,c916 tcontext=system_u:system_r:container_runtime_t:s0 tclass=fifo_file permissive=0
When Rawhide had Qt 5.9.3, it was working (no AVC, and successul compilation test).
What do you suggest? The tool audit2allow says that I would need that module:
module qt5.10 1.0;
require { type container_runtime_t; type container_t; class fifo_file map; }
#============= container_t ============== allow container_t container_runtime_t:fifo_file map;
Is that permission dangerous? Why is it not in the policy?
Actually, I have no idea what mean mapping a fifo file. From why I know it makes no sense.
On 01/19/2018 05:19 PM, Laurent Rineau wrote:
In an automated test process, I have a docker container based on Fedora Rawhide, with Docker running on F27. That container runs a compilation process involving Qt 5.10 (from rawhide).
That compilation fails, and I have the following AVC:
type=AVC msg=audit(1516334348.971:1059): avc: denied { map } for pid=4046 comm="moc" path="pipe:[3343646]" dev="pipefs" ino=3343646 scontext=system_u:system_r:container_t:s0:c273,c916 tcontext=system_u:system_r:container_runtime_t:s0 tclass=fifo_file permissive=0
When Rawhide had Qt 5.9.3, it was working (no AVC, and successul compilation test).
What do you suggest? The tool audit2allow says that I would need that module:
module qt5.10 1.0; require { type container_runtime_t; type container_t; class fifo_file map; } #============= container_t ============== allow container_t container_runtime_t:fifo_file map;
Is that permission dangerous? Why is it not in the policy?
Dan,
Could you look on it please?
Thanks.
Actually, I have no idea what mean mapping a fifo file. From why I know it makes no sense.
selinux@lists.fedoraproject.org