search

anacierdem / libdragon-docker

Docker container for easy development with DragonMinded libdragon.
MIT License
25 stars 3 forks source link

Incompatable with SELinux #73

Open polypoyo opened 4 months ago

polypoyo commented 4 months ago

When running libdragon init on Fedora Server 39, it fails with the following error:

Command docker exec --workdir /libdragon/libdragon -u 1000:1000 -i 5686f4bc6577c7604336f5e16e3bd92a5493bb791edc40b4a331694175df258e /bin/bash ./build.sh exited with code 126.
Command error output:
/bin/bash: ./build.sh: Permission denied
SELinux Logs during libdragon init ``` type=AVC msg=audit(1716793122.966:814): avc: denied { write } for pid=8150 comm="mkdir" name="libdragon" dev="dm-0" ino=10808131 scontext=system_u:system_r:container_t:s0:c694,c764 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1716793122.966:815): avc: denied { add_name } for pid=8150 comm="mkdir" name="build" scontext=system_u:system_r:container_t:s0:c694,c764 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1716793122.966:816): avc: denied { create } for pid=8150 comm="mkdir" name="build" scontext=system_u:system_r:container_t:s0:c694,c764 tcontext=system_u:object_r:user_home_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1716793123.018:817): avc: denied { write } for pid=8169 comm="cc1" name="build" dev="dm-0" ino=28758875 scontext=system_u:system_r:container_t:s0:c694,c764 tcontext=system_u:object_r:user_home_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1716793123.018:818): avc: denied { add_name } for pid=8169 comm="cc1" name="fmath.d" scontext=system_u:system_r:container_t:s0:c694,c764 tcontext=system_u:object_r:user_home_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1716793123.018:819): avc: denied { create } for pid=8169 comm="cc1" name="fmath.d" scontext=system_u:system_r:container_t:s0:c694,c764 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1 type=AVC msg=audit(1716793123.018:820): avc: denied { write open } for pid=8169 comm="cc1" path="/libdragon/libdragon/build/fmath.d" dev="dm-0" ino=28758876 scontext=system_u:system_r:container_t:s0:c694,c764 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1 type=AVC msg=audit(1716793123.020:821): avc: denied { write } for pid=8170 comm="as" name="build" dev="dm-0" ino=28758875 scontext=system_u:system_r:container_t:s0:c694,c764 tcontext=system_u:object_r:user_home_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1716793123.020:822): avc: denied { add_name } for pid=8170 comm="as" name="fmath.o" scontext=system_u:system_r:container_t:s0:c694,c764 tcontext=system_u:object_r:user_home_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1716793123.020:823): avc: denied { read } for pid=8170 comm="as" path="/libdragon/libdragon/build/fmath.o" dev="dm-0" ino=28758877 scontext=system_u:system_r:container_t:s0:c694,c764 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1 type=AVC msg=audit(1716793123.156:824): avc: denied { create } for pid=8200 comm="mkdir" name="libcart" scontext=system_u:system_r:container_t:s0:c694,c764 tcontext=system_u:object_r:user_home_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1716793124.635:826): avc: denied { setattr } for pid=8382 comm="ld" name="rsp_crash.o" dev="dm-0" ino=28759187 scontext=system_u:system_r:container_t:s0:c694,c764 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1 type=AVC msg=audit(1716793124.637:827): avc: denied { remove_name } for pid=8384 comm="mv" name="rsp_crash.o" dev="dm-0" ino=28759187 scontext=system_u:system_r:container_t:s0:c694,c764 tcontext=system_u:object_r:user_home_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1716793124.637:828): avc: denied { rename } for pid=8384 comm="mv" name="rsp_crash.o" dev="dm-0" ino=28759187 scontext=system_u:system_r:container_t:s0:c694,c764 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1 type=AVC msg=audit(1716793124.687:829): avc: denied { unlink } for pid=8398 comm="rm" name="rsp_crash.text.bin" dev="dm-0" ino=28759188 scontext=system_u:system_r:container_t:s0:c694,c764 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1 type=AVC msg=audit(1716793126.462:831): avc: denied { write } for pid=8647 comm="cc1" name="tools" dev="dm-0" ino=818563 scontext=system_u:system_r:container_t:s0:c694,c764 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1716793126.462:832): avc: denied { add_name } for pid=8647 comm="cc1" name="n64tool.d" scontext=system_u:system_r:container_t:s0:c694,c764 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1716793126.592:833): avc: denied { remove_name } for pid=8662 comm="mips64-elf-ar" name="stI8byUA" dev="dm-0" ino=10808271 scontext=system_u:system_r:container_t:s0:c694,c764 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1716793131.859:834): avc: denied { rmdir } for pid=8886 comm="rm" name="libcart" dev="dm-0" ino=818599 scontext=system_u:system_r:container_t:s0:c694,c764 tcontext=system_u:object_r:user_home_t:s0 tclass=dir permissive=1 ```
anacierdem commented 4 days ago

@polypoyo Is it possible that your docker requires root?

polypoyo commented 3 days ago

@polypoyo Is it possible that your docker requires root?

No, it works just fine when in Permissive mode

anacierdem commented 2 days ago

Ok, -u 1000:1000 already suggests the same. Can you share the full output of; libdragon version and, libdragon init -v? Also how exactly do you install/use the tool, it might also help to debug the problem.