https://bugzilla.redhat.com/show_bug.cgi?id=1094664
--- Comment #4 from Jan Pazdziora <jpazdziora(a)redhat.com> ---
# rpm -q docker-io
docker-io-0.9.1-1.fc20.x86_64
# getenforce
Permissive
# docker run -ti fedora:20 /bin/bash
bash-4.2# ls -laZ /dev/shm
drwxrwxrwt. root root system_u:object_r:docker_tmpfs_t:s0 .
drwxr-xr-x. root root system_u:object_r:file_t:s0 ..
bash-4.2# ls -la /dev/shm
total 4
drwxrwxrwt. 2 root root 40 May 7 07:06 .
drwxr-xr-x. 4 root root 4096 May 7 07:06 ..
bash-4.2# touch /dev/shm/a
bash-4.2# adduser test
bash-4.2# su - test
[test@c05cc1c52ec1 ~]$ id
uid=1000(test) gid=1000(test) groups=1000(test)
[test@c05cc1c52ec1 ~]$ touch /dev/shm/b
[test@c05cc1c52ec1 ~]$ ls -la /dev/shm
total 4
drwxrwxrwt. 2 root root 80 May 7 07:06 .
drwxr-xr-x. 4 root root 4096 May 7 07:06 ..
-rw-r--r--. 1 root root 0 May 7 07:06 a
-rw-rw-r--. 1 test test 0 May 7 07:06 b
[test@c05cc1c52ec1 ~]$ logout
bash-4.2# exit
#
Back on the host:
# ausearch -m avc -ts recent -i
<no matches>
Now upgraded to:
# rpm -q docker-io
docker-io-0.10.0-2.fc20.x86_64
Restarted docker service and did:
# docker run -ti fedora:20 /bin/bash
bash-4.2# ls -laZ /dev/shm
drwxr-xr-t. root root system_u:object_r:docker_tmpfs_t:s0 .
drwxr-xr-x. root root system_u:object_r:file_t:s0 ..
bash-4.2# ls -la /dev/shm
total 4
drwxr-xr-t. 2 root root 40 May 7 07:10 .
drwxr-xr-x. 4 root root 4096 May 7 07:10 ..
bash-4.2# touch /dev/shm/a
bash-4.2# adduser test
bash-4.2# su - test
[test@e13c9240f149 ~]$ id
uid=1000(test) gid=1000(test) groups=1000(test)
[test@e13c9240f149 ~]$ touch /dev/shm/b
touch: cannot touch ‘/dev/shm/b’: Permission denied
[test@e13c9240f149 ~]$ ls -la /dev/shm
total 4
drwxr-xr-t. 2 root root 60 May 7 07:10 .
drwxr-xr-x. 4 root root 4096 May 7 07:10 ..
-rw-r--r--. 1 root root 0 May 7 07:10 a
[test@e13c9240f149 ~]$ logout
bash-4.2# exit
#
Back on the host:
# ausearch -m avc -ts recent -i
<no matches>
#
I don't think it's SELinux, the mode=1755 of the mountpoint seems to be an
explicit indication that non-roots shouldn't be allowed do /dev/shm.
--
You are receiving this mail because:
You are on the CC list for the bug.