Bug 1141507 - /etc/resolv.conf inaccessible with --selinux-enabled
Summary: /etc/resolv.conf inaccessible with --selinux-enabled
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: rawhide
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-09-14 08:08 UTC by Lokesh Mandvekar
Modified: 2014-09-16 11:54 UTC (History)
13 users (show)

Fixed In Version: selinux-policy-3.13.1-82.fc22
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-09-16 11:54:05 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description Lokesh Mandvekar 2014-09-14 08:08:57 UTC
Description of problem:

Don't think this condition existed at the time of docker 1.2.0 update (though I could be wrong).

HOST
$ cat /etc/sysconfig/docker
OPTIONS=--selinux-enabled

CONTAINER
bash-4.2# ls -aZ /etc/resolv.conf
ls: cannot access /etc/resolv.conf: Permission denied

---------------------------------

HOST
$ cat /etc/sysconfig/docker
OPTIONS=

CONTAINER
bash-4.2# ls -aZ /etc/resolv.conf
-rw-r--r--. root root system_u:object_r:docker_var_lib_t:s0 /etc/resolv.conf



NVRs: 

$ rpm -q docker-io
docker-io-1.2.0-2.fc22.x86_64
$ rpm -q selinux-policy
selinux-policy-3.13.1-81.fc22.noarch

Comment 1 Daniel Walsh 2014-09-15 18:01:44 UTC
11e67f0e6778328b23cd2677ffdc7277cbead41a fixes this in git for selinux-policy.

Basically we want resolv.conf to be labeled docker_share_t just like /etc/hosts and /etc/hostname


Note You need to log in before you can comment on or make changes to this bug.