Make start raises error "Permission denied" about flan HOT 7 OPEN

Sorry, issue resolved. SELinux need to be disabled or configured.

from flan.

could you share your selinux settings maybe?
:edit:
this should do the trick:

ausearch -c 'mkdir' --raw | audit2allow -M my-mkdir
semodule -X 300 -i my-mkdir.pp
ausearch -c 'run.sh' --raw | audit2allow -M my-runsh
semodule -X 300 -i my-runsh.pp

from flan.

I`ve just used flan in test environment, so i simply disabled it
selinux=disabled instead of selinux=enforcing

from flan.

I`ve just used flan in test environment, so i simply disabled it
selinux=disabled instead of selinux=enforcing

Well yeah, might be okay for test systems, but is not really an option for many other systems.
I would be interested in keeping this open and maybe add a real fix?

Don't know if this would be out of scope, though?
I actually gave up on this issue last week, because I kept getting avc denials.

from flan.

We can try together to find solution to add it to user manual. I think it would be better option for others. I`ll try your solution and check it.

from flan.

As SvenMW suggested earlier - there is a solution to work with SElinux enforcing mode.
After some investigation

ausearch -c 'mkdir' --raw | audit2allow -M my-mkdir
semodule -X 300 -i my-mkdir.pp

ausearch -c 'nmap' --raw | audit2allow -M my-nmap
semodule -X 300 -i my-nmap.pp

But there were one more issue with sed.
And last one step was:

grep sed /var/log/audit/audit.log | audit2allow -M flan_scan
semodule -X 300 -i flan_scan.pp

Resultant policies are:

flan_scan.te

module flan_scan 1.0;

require {
type container_t;
type usr_t;
class file { rename setattr unlink };
class dir remove_name;
}

#============= container_t ==============

#!!!! This avc is allowed in the current policy
allow container_t usr_t:dir remove_name;

#!!!! This avc is allowed in the current policy
allow container_t usr_t:file setattr;
allow container_t usr_t:file { rename unlink };

my-nmap.te

module my-nmap 1.0;

require {
type usr_t;
type container_t;
class dir add_name;
class file { create write };
}

#============= container_t ==============

#!!!! This avc is allowed in the current policy
allow container_t usr_t:dir add_name;
allow container_t usr_t:file { create write };

my-mkdir.te

module my-mkdir 1.0;

require {
type usr_t;
type container_t;
class dir { add_name create write };
}

#============= container_t ==============

#!!!! This avc is allowed in the current policy
allow container_t usr_t:dir write;
allow container_t usr_t:dir { add_name create };

from flan.

Thank you so much!
I currently can't test, but will do so later.
As I said earlier: My solution was incomplete, so thanks for taking the time to test this.

I also agree this could be put into the manual, as it is environment specific.

from flan.