Make start raises error "Permission denied"

[dizaar]

Centos 8 last stable

[root@localhost flan]# make start
docker run --name flan_1574414000 -v /opt/flan/shared:/shared flan_scan
Emulate Docker CLI using podman. Create /etc/containers/nodocker to quiet msg.
mkdir: can't create directory '/shared/xml_files/2019.11.22-09.13': Permission denied
Failed to open XML output file /shared/xml_files/2019.11.22-09.13/192.168.113.0-24.xml for writing
QUITTING!
Failed to open XML output file /shared/xml_files/2019.11.22-09.13/192.168.113.0-24.xml for writing
QUITTING!
Traceback (most recent call last):
File "/output_report.py", line 225, in
main()
File "/output_report.py", line 211, in main
for i, filename in enumerate(os.listdir(dirname)):
FileNotFoundError: [Errno 2] No such file or directory: '/shared/xml_files/2019.11.22-09.13'
sed: /shared/reports/report_2019.11.22-09.13.tex: No such file or directory
sed: /shared/reports/report_2019.11.22-09.13.tex: No such file or directory
sed: /shared/reports/report_2019.11.22-09.13.tex: No such file or directory

Running podman raises another error

[root@localhost flan]# podman list -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
878e54f459c9 localhost/flan_scan:latest /run.sh 4 minutes ago Exited (0) 4 minutes ago flan_1574414000
a7f646e06168 localhost/flan_scan:latest /run.sh About an hour ago Exited (0) About an hour ago angry_leakey
075959f10f72 localhost/flan_scan:latest /run.sh About an hour ago Exited (0) About an hour ago flan_1574409478
0a3f025670f2 localhost/flan_scan:latest /run.sh About an hour ago Exited (0) About an hour ago flan_1574409020
d40060fc5aae localhost/flan_scan:latest /run.sh About an hour ago Exited (0) About an hour ago flan_1574408973
2f0533ec5da3 localhost/flan_scan:latest /run.sh About an hour ago Exited (0) About an hour ago flan_1574408938

[root@localhost flan]# podman run localhost/flan_scan:latest

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done at Fri Nov 22 08:23:06 2019 -- 256 IP addresses (15 hosts up) scanned in 1426.62 seconds

Traceback (most recent call last):
File "/output_report.py", line 225, in
main()
File "/output_report.py", line 216, in main
parse_results(data)
File "/output_report.py", line 98, in parse_results
hosts = data['nmaprun']['host']
KeyError: 'host'
sed: /shared/reports/report_2019.11.22-07.59.tex: No such file or directory
sed: /shared/reports/report_2019.11.22-07.59.tex: No such file or directory
sed: /shared/reports/report_2019.11.22-07.59.tex: No such file or directory

[dizaar]

Sorry, issue resolved. SELinux need to be disabled or configured.

[ghost]

could you share your selinux settings maybe?
:edit:
this should do the trick:

ausearch -c 'mkdir' --raw | audit2allow -M my-mkdir
semodule -X 300 -i my-mkdir.pp
ausearch -c 'run.sh' --raw | audit2allow -M my-runsh
semodule -X 300 -i my-runsh.pp

[dizaar]

I`ve just used flan in test environment, so i simply disabled it
selinux=disabled instead of selinux=enforcing

[ghost]

I`ve just used flan in test environment, so i simply disabled it
selinux=disabled instead of selinux=enforcing

Well yeah, might be okay for test systems, but is not really an option for many other systems.
I would be interested in keeping this open and maybe add a real fix?

Don't know if this would be out of scope, though?
I actually gave up on this issue last week, because I kept getting avc denials.

[dizaar]

We can try together to find solution to add it to user manual. I think it would be better option for others. I`ll try your solution and check it.

[dizaar]

As SvenMW suggested earlier - there is a solution to work with SElinux enforcing mode.
After some investigation

ausearch -c 'mkdir' --raw | audit2allow -M my-mkdir
semodule -X 300 -i my-mkdir.pp

ausearch -c 'nmap' --raw | audit2allow -M my-nmap
semodule -X 300 -i my-nmap.pp

But there were one more issue with sed.
And last one step was:

grep sed /var/log/audit/audit.log | audit2allow -M flan_scan
semodule -X 300 -i flan_scan.pp

Resultant policies are:

flan_scan.te

module flan_scan 1.0;

require {
type container_t;
type usr_t;
class file { rename setattr unlink };
class dir remove_name;
}

#============= container_t ==============

#!!!! This avc is allowed in the current policy
allow container_t usr_t:dir remove_name;

#!!!! This avc is allowed in the current policy
allow container_t usr_t:file setattr;
allow container_t usr_t:file { rename unlink };

my-nmap.te

module my-nmap 1.0;

require {
type usr_t;
type container_t;
class dir add_name;
class file { create write };
}

#============= container_t ==============

#!!!! This avc is allowed in the current policy
allow container_t usr_t:dir add_name;
allow container_t usr_t:file { create write };

my-mkdir.te

module my-mkdir 1.0;

require {
type usr_t;
type container_t;
class dir { add_name create write };
}

#============= container_t ==============

#!!!! This avc is allowed in the current policy
allow container_t usr_t:dir write;
allow container_t usr_t:dir { add_name create };

[ghost]

Thank you so much!
I currently can't test, but will do so later.
As I said earlier: My solution was incomplete, so thanks for taking the time to test this.

I also agree this could be put into the manual, as it is environment specific.