https://bugzilla.redhat.com/show_bug.cgi?id=1094664
--- Comment #4 from Jan Pazdziora <[email protected]> --- # rpm -q docker-io docker-io-0.9.1-1.fc20.x86_64 # getenforce Permissive # docker run -ti fedora:20 /bin/bash bash-4.2# ls -laZ /dev/shm drwxrwxrwt. root root system_u:object_r:docker_tmpfs_t:s0 . drwxr-xr-x. root root system_u:object_r:file_t:s0 .. bash-4.2# ls -la /dev/shm total 4 drwxrwxrwt. 2 root root 40 May 7 07:06 . drwxr-xr-x. 4 root root 4096 May 7 07:06 .. bash-4.2# touch /dev/shm/a bash-4.2# adduser test bash-4.2# su - test [test@c05cc1c52ec1 ~]$ id uid=1000(test) gid=1000(test) groups=1000(test) [test@c05cc1c52ec1 ~]$ touch /dev/shm/b [test@c05cc1c52ec1 ~]$ ls -la /dev/shm total 4 drwxrwxrwt. 2 root root 80 May 7 07:06 . drwxr-xr-x. 4 root root 4096 May 7 07:06 .. -rw-r--r--. 1 root root 0 May 7 07:06 a -rw-rw-r--. 1 test test 0 May 7 07:06 b [test@c05cc1c52ec1 ~]$ logout bash-4.2# exit # Back on the host: # ausearch -m avc -ts recent -i <no matches> Now upgraded to: # rpm -q docker-io docker-io-0.10.0-2.fc20.x86_64 Restarted docker service and did: # docker run -ti fedora:20 /bin/bash bash-4.2# ls -laZ /dev/shm drwxr-xr-t. root root system_u:object_r:docker_tmpfs_t:s0 . drwxr-xr-x. root root system_u:object_r:file_t:s0 .. bash-4.2# ls -la /dev/shm total 4 drwxr-xr-t. 2 root root 40 May 7 07:10 . drwxr-xr-x. 4 root root 4096 May 7 07:10 .. bash-4.2# touch /dev/shm/a bash-4.2# adduser test bash-4.2# su - test [test@e13c9240f149 ~]$ id uid=1000(test) gid=1000(test) groups=1000(test) [test@e13c9240f149 ~]$ touch /dev/shm/b touch: cannot touch ‘/dev/shm/b’: Permission denied [test@e13c9240f149 ~]$ ls -la /dev/shm total 4 drwxr-xr-t. 2 root root 60 May 7 07:10 . drwxr-xr-x. 4 root root 4096 May 7 07:10 .. -rw-r--r--. 1 root root 0 May 7 07:10 a [test@e13c9240f149 ~]$ logout bash-4.2# exit # Back on the host: # ausearch -m avc -ts recent -i <no matches> # I don't think it's SELinux, the mode=1755 of the mountpoint seems to be an explicit indication that non-roots shouldn't be allowed do /dev/shm. -- You are receiving this mail because: You are on the CC list for the bug. _______________________________________________ golang mailing list [email protected] https://lists.fedoraproject.org/mailman/listinfo/golang
