[Bug 1166950] New: Unable to run "mysql" docker image on Fedora atomic due to selinux

[bugzilla]

https://bugzilla.redhat.com/show_bug.cgi?id=1166950

            Bug ID: 1166950
           Summary: Unable to run "mysql" docker image on Fedora atomic
                    due to selinux
           Product: Fedora
           Version: 21
         Component: docker-io
          Assignee: l...@fedoraproject.org
          Reporter: l...@redhat.com
        QA Contact: extras...@fedoraproject.org
                CC: admil...@redhat.com, golang@lists.fedoraproject.org,
                    hushan....@gmail.com, jchal...@redhat.com,
                    jper...@centos.org, l...@fedoraproject.org,
                    mat...@redhat.com, mgold...@redhat.com,
                    mimi...@redhat.com, s...@shk.io, thr...@redhat.com,
                    vba...@redhat.com



The "mysql" Docker image creates a volume on /var/lib/mysql inside the
container.

At runtime, the entrypoint script attempts to chown this directory to the mysql
user, which leads to the following error:

    # docker run -e MYSQL_ROOT_PASSWORD=secret mysql
    FATAL ERROR: Could not chown directory /var/lib/mysql

And the following AVC:

    type=AVC msg=audit(1416629737.562:201): avc:  denied  { setattr } for 
pid=22615 comm="mysql_install_d"
name="d27cb6010a47942d7dc4826ebfe138ea62888fc9a5dedcaf14ebb3a1f45781c2"
dev="dm-0" ino=6329484 scontext=system_u:system_r:svirt_lxc_net_t:s0:c190,c586
tcontext=system_u:object_r:docker_var_lib_t:s0 tclass=dir permissive=0

Which translates to:

    module docker 1.0;

    require {
        type svirt_lxc_net_t;
        type docker_var_lib_t;
        class dir setattr;
    }

    #============= svirt_lxc_net_t ==============
    allow svirt_lxc_net_t docker_var_lib_t:dir setattr;

A simple reproducer is to create a Dockerfile with the following:

    FROM fedora
    VOLUME /var/lib/myvolume
    RUN chown nobody /var/lib/myvolume

And attempt to "docker build .":

    Sending build context to Docker daemon  2.56 kB
    Sending build context to Docker daemon 
    Step 0 : FROM fedora
     ---> 7d3f07f8de5f
    Step 1 : VOLUME /var/lib/myvolume
     ---> Running in 5f2e6a9a51e0
     ---> ea49c8d042b2
    Removing intermediate container 5f2e6a9a51e0
    Step 2 : RUN chown nobody /var/lib/myvolume
     ---> Running in d1083d0ccc68
    chown: changing ownership of '/var/lib/myvolume': Permission denied
    2014/11/22 04:27:19 The command [/bin/sh -c chown nobody /var/lib/myvolume]
returned a non-zero code: 1

-- 
You are receiving this mail because:
You are on the CC list for the bug.
_______________________________________________
golang mailing list
golang@lists.fedoraproject.org
https://lists.fedoraproject.org/mailman/listinfo/golang