Bug 1141507

Summary: /etc/resolv.conf inaccessible with --selinux-enabled
Product: [Fedora] Fedora Reporter: Lokesh Mandvekar <lsm5>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: admiller, dominick.grift, dwalsh, golang-updates, hushan.jia, jperrin, lsm5, lvrabec, mattdm, mgoldman, mgrepl, s, vbatts
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-82.fc22 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-09-16 11:54:05 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Lokesh Mandvekar 2014-09-14 08:08:57 UTC 
Description of problem:

Don't think this condition existed at the time of docker 1.2.0 update (though I could be wrong).

HOST
$ cat /etc/sysconfig/docker
OPTIONS=--selinux-enabled

CONTAINER
bash-4.2# ls -aZ /etc/resolv.conf
ls: cannot access /etc/resolv.conf: Permission denied

---------------------------------

HOST
$ cat /etc/sysconfig/docker
OPTIONS=

CONTAINER
bash-4.2# ls -aZ /etc/resolv.conf
-rw-r--r--. root root system_u:object_r:docker_var_lib_t:s0 /etc/resolv.conf



NVRs: 

$ rpm -q docker-io
docker-io-1.2.0-2.fc22.x86_64
$ rpm -q selinux-policy
selinux-policy-3.13.1-81.fc22.noarch
Comment 1 Daniel Walsh 2014-09-15 18:01:44 UTC 
11e67f0e6778328b23cd2677ffdc7277cbead41a fixes this in git for selinux-policy.

Basically we want resolv.conf to be labeled docker_share_t just like /etc/hosts and /etc/hostname