SELinux cause “Permission denied” issue in using docker

I am using docker on RHEL 7. After mounting host directory into container, some interesting things happen: Although I am a root user, and seem to have all permissions, but the system will prompt “Permission denied” when executing commands:

# docker run -v /root:/test --rm -it debian ls /test
ls: cannot open directory /test: Permission denied

Through tough investigations, I find the root cause is about SELinux:

# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28

The current mode of SELinux is enforcing, and I get 2 solutions to resolve it now:

(1)

Add --privileged option in docker run command:

# docker run --privileged -v /root:/test --rm -it debian ls /test
Desktop    Pictures   anaconda-ks.cfg       linuxamd64_12102_database_1of2.zip
Documents  Public     database              linuxamd64_12102_database_2of2.zip
Downloads  Templates  docker-oracle12c      sysdig
Music      Videos     initial-setup-ks.cfg

(2)

Set SELinux mode as permissive:

# setenforce 0
# docker run -v /root:/test --rm -it debian ls /test
Desktop    Downloads  Pictures  Templates  anaconda-ks.cfg  docker-oracle12c      linuxamd64_12102_database_1of2.zip  sysdig
Documents  Music      Public    Videos     database         initial-setup-ks.cfg  linuxamd64_12102_database_2of2.zip

References:
Why does docker prompt “Permission denied” when backing up the data volume?;
Why does docker container prompt “Permission denied”?.

 

5 thoughts on “SELinux cause “Permission denied” issue in using docker”

  1. Did you try adding suffx ‘:z’ or ‘:Z’ to the volume mount?
    In your case, command would be
    docker run -v /root:/test:Z –rm -it debian ls /test

  2. Sorry, but these are really bad solutions.
    Running a privileged container is dangerous, as if the service inside has a vulnerability, it can be used to gain root access on the whole system. Never do that in production.
    Deactivating selinux (setenforce 0) is even worse, you deprive your whole system from an excellent security measure.

    Just add :Z at the end of your volume mount strings so docker will create adapted selinux contexts for them.

Leave a Reply to Stanislav Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.