In an automated test process, I have a docker container based on
Fedora Rawhide, with Docker running on F27. That container runs a compilation
process involving Qt 5.10 (from rawhide).

That compilation fails, and I have the following AVC:

type=AVC msg=audit(1516334348.971:1059): avc: denied { map } for pid=4046
comm="moc" path="pipe:[3343646]" dev="pipefs" ino=3343646
scontext=system_u:system_r:container_t:s0:c273,c916
tcontext=system_u:system_r:container_runtime_t:s0 tclass=fifo_file
permissive=0

When Rawhide had Qt 5.9.3, it was working (no AVC, and successul compilation
test).

What do you suggest? The tool audit2allow says that I would need that module:

module qt5.10 1.0;

require {
type container_runtime_t;
type container_t;
class fifo_file map;
}

#============= container_t ==============
allow container_t container_runtime_t:fifo_file map;


Is that permission dangerous? Why is it not in the policy?

Actually, I have no idea what mean mapping a fifo file. From why I know it
makes no sense.

--
Laurent Rineau
http://fedoraproject.org/wiki/LaurentRineau


_______________________________________________
selinux mailing list -- ***@lists.fedoraproject.org
To unsubscribe send an email to selinux-***@lists.fedoraproject.or