I am using docker on RHEL 7. After mounting host directory into container, some interesting things happen: Although I am a root user, and seem to have all permissions, but the system will prompt “Permission denied” when executing commands:
# docker run -v /root:/test --rm -it debian ls /test
ls: cannot open directory /test: Permission denied
Through tough investigations, I find the root cause is about SELinux:
# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 28
The current mode of SELinux is enforcing, and I get 2 solutions to resolve it now:
(1)
Add --privileged option in docker run command:
# docker run --privileged -v /root:/test --rm -it debian ls /test
Desktop Pictures anaconda-ks.cfg linuxamd64_12102_database_1of2.zip
Documents Public database linuxamd64_12102_database_2of2.zip
Downloads Templates docker-oracle12c sysdig
Music Videos initial-setup-ks.cfg
(2)
Set SELinux mode as permissive:
# setenforce 0
# docker run -v /root:/test --rm -it debian ls /test
Desktop Downloads Pictures Templates anaconda-ks.cfg docker-oracle12c linuxamd64_12102_database_1of2.zip sysdig
Documents Music Public Videos database initial-setup-ks.cfg linuxamd64_12102_database_2of2.zip
References:
Why does docker prompt “Permission denied” when backing up the data volume?;
Why does docker container prompt “Permission denied”?.
Very useful, thank you!
Very useful thanks
Did you try adding suffx ‘:z’ or ‘:Z’ to the volume mount?
In your case, command would be
docker run -v /root:/test:Z –rm -it debian ls /test
This was helpful for me. Thanks!
About adding ‘:z’ or ‘:Z’, I saw this thread https://github.com/moby/moby/issues/30934 and not sure if it’s the best way to do it.
I ended up adding ‘–privileged’ so it would work across machines, and across restarts. “setenforce 0” has to be done on every machine, and doesn’t persist across restarts.
Sorry, but these are really bad solutions.
Running a privileged container is dangerous, as if the service inside has a vulnerability, it can be used to gain root access on the whole system. Never do that in production.
Deactivating selinux (setenforce 0) is even worse, you deprive your whole system from an excellent security measure.
Just add :Z at the end of your volume mount strings so docker will create adapted selinux contexts for them.