I recently upgraded some of my Docker hosts to CentOS 7.5 and started
getting "Permission Denied" errors inside of containers. I traced this
down to any container that mounts and uses /etc/passwd from the host (so
that UIDs inside the container map to the same username as on the host),
because the SELinux policy in CentOS 7.5 does not allow the new
continer_t domain to read passwd_file_t.
The old svirt_lxc_net_t domain had the nsswitch_domain attribute, while
its replacement, container_t, does not. I cannot find any reference for
this change, so I was wondering if it was deliberate or not. If it was
deliberate, what would be the consequences if I were to make a local
policy change to add that attribute back? If it was not deliberate, I
would be happy to open a ticket in Bugzilla.
Thanks,
--
♫Dustin