SELinux preventing read on files copied during Docker build

Hi all!

I’ve decided to give Fedora CoreOS a try on a server as I’m a huge fan of Fedora Workstation - the best OS I’ve had, hands down.

However, I’ve stumbled upon an unexpected SELinux setup when I was trying to build a simple image like:

WORKDIR /srv/
COPY ./package.json ./yarn.lock ./
ENV PATH /srv/node_modules/.bin:$PATH
RUN yarn install --production

The last command fails with EACCES: permission denied, open '/srv/package.json' as SELinux denies access to package.json: SELinux is preventing node from read access on the file package.json..

From my point of view, this is a bit unexpected. Changing Dockerfiles to add labels doesn’t make sense to me. I guess labelling with container_file_t in CI once the source code gets pulled would make a bit more sense?

Thanks!

I’m not a CoreOS guru.

However, I think that is what packages do if they are not pre-registered in the global selinux policy for the system. See for example the %post section of the chromium installation script.

I guess your case would be something like the following.

semanage fcontext -a -t container_file_t '/srv(/.*)?'
restorecon -v -r /srv

and maybe

semanage permissive -a container_t

(Though I’m not sure about that last one. It is probably too big of a hammer in most cases.)

1 Like