https://bugzilla.redhat.com/show_bug.cgi?id=1141507
Bug ID: 1141507 Summary: /etc/resolv.conf inaccessible with --selinux-enabled Product: Fedora Version: rawhide Component: docker-io Assignee: lsm5@fedoraproject.org Reporter: lsm5@fedoraproject.org QA Contact: extras-qa@fedoraproject.org CC: admiller@redhat.com, golang@lists.fedoraproject.org, hushan.jia@gmail.com, jperrin@centos.org, lsm5@fedoraproject.org, mattdm@redhat.com, mgoldman@redhat.com, s@shk.io, vbatts@redhat.com
Description of problem:
Don't think this condition existed at the time of docker 1.2.0 update (though I could be wrong).
HOST $ cat /etc/sysconfig/docker OPTIONS=--selinux-enabled
CONTAINER bash-4.2# ls -aZ /etc/resolv.conf ls: cannot access /etc/resolv.conf: Permission denied
---------------------------------
HOST $ cat /etc/sysconfig/docker OPTIONS=
CONTAINER bash-4.2# ls -aZ /etc/resolv.conf -rw-r--r--. root root system_u:object_r:docker_var_lib_t:s0 /etc/resolv.conf
NVRs:
$ rpm -q docker-io docker-io-1.2.0-2.fc22.x86_64 $ rpm -q selinux-policy selinux-policy-3.13.1-81.fc22.noarch
https://bugzilla.redhat.com/show_bug.cgi?id=1141507
Daniel Walsh dwalsh@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED CC| |dominick.grift@gmail.com, | |lvrabec@redhat.com, | |mgrepl@redhat.com Component|docker-io |selinux-policy Assignee|lsm5@fedoraproject.org |mgrepl@redhat.com
--- Comment #1 from Daniel Walsh dwalsh@redhat.com --- 11e67f0e6778328b23cd2677ffdc7277cbead41a fixes this in git for selinux-policy.
Basically we want resolv.conf to be labeled docker_share_t just like /etc/hosts and /etc/hostname
https://bugzilla.redhat.com/show_bug.cgi?id=1141507
Miroslav Grepl mgrepl@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |CLOSED Fixed In Version| |selinux-policy-3.13.1-82.fc | |22 Resolution|--- |RAWHIDE Last Closed| |2014-09-16 07:54:05
golang@lists.fedoraproject.org