[Bug 1166950] New: Unable to run "mysql" docker image on Fedora atomic due to selinux

https://bugzilla.redhat.com/show_bug.cgi?id=1166950 Bug ID: 1166950 Summary: Unable to run "mysql" docker image on Fedora atomic due to selinux Product: Fedora Version: 21 Component: docker-io Assignee: lsm5(a)fedoraproject.org Reporter: lars(a)redhat.com QA Contact: extras-qa(a)fedoraproject.org CC: admiller(a)redhat.com, golang(a)lists.fedoraproject.org, hushan.jia(a)gmail.com, jchaloup(a)redhat.com, jperrin(a)centos.org, lsm5(a)fedoraproject.org, mattdm(a)redhat.com, mgoldman(a)redhat.com, miminar(a)redhat.com, s(a)shk.io, thrcka(a)redhat.com, vbatts(a)redhat.com The "mysql" Docker image creates a volume on /var/lib/mysql inside the container. At runtime, the entrypoint script attempts to chown this directory to the mysql user, which leads to the following error: # docker run -e MYSQL_ROOT_PASSWORD=secret mysql FATAL ERROR: Could not chown directory /var/lib/mysql And the following AVC: type=AVC msg=audit(1416629737.562:201): avc: denied { setattr } for pid=22615 comm="mysql_install_d" name="d27cb6010a47942d7dc4826ebfe138ea62888fc9a5dedcaf14ebb3a1f45781c2" dev="dm-0" ino=6329484 scontext=system_u:system_r:svirt_lxc_net_t:s0:c190,c586 tcontext=system_u:object_r:docker_var_lib_t:s0 tclass=dir permissive=0 Which translates to: module docker 1.0; require { type svirt_lxc_net_t; type docker_var_lib_t; class dir setattr; } #============= svirt_lxc_net_t ============== allow svirt_lxc_net_t docker_var_lib_t:dir setattr; A simple reproducer is to create a Dockerfile with the following: FROM fedora VOLUME /var/lib/myvolume RUN chown nobody /var/lib/myvolume And attempt to "docker build .": Sending build context to Docker daemon 2.56 kB Sending build context to Docker daemon Step 0 : FROM fedora ---> 7d3f07f8de5f Step 1 : VOLUME /var/lib/myvolume ---> Running in 5f2e6a9a51e0 ---> ea49c8d042b2 Removing intermediate container 5f2e6a9a51e0 Step 2 : RUN chown nobody /var/lib/myvolume ---> Running in d1083d0ccc68 chown: changing ownership of '/var/lib/myvolume': Permission denied 2014/11/22 04:27:19 The command [/bin/sh -c chown nobody /var/lib/myvolume] returned a non-zero code: 1 -- You are receiving this mail because: You are on the CC list for the bug.