I have one RHEL7.4 node, that when enforing selinux, it will fail my container, I checked and found it is denying reading in the container internal directories:
# docker run -it 172.16.1.120:5000/fluentd:0.14 ls /usr/bin
ls: cannot open directory /usr/bin: Permission denied
# docker run -it 172.16.1.120:5000/fluentd:0.14 ls -dZl /usr/bin
dr-xr-xr-x. 1 system_u:object_r:container_file_t:s0:c5,c284 root root 12288 Dec 15 2017 /usr/bin
the selinux is enforcing. but on another RHEL7.4 node, with also selinux enforcing, the "ls" can be executed:
[root@msun ~]$ # docker run -it fluentd:0.14 ls -l /bin/bash
-rwxr-xr-x. 1 root root 960632 Aug 3 2017 /bin/bash
[root@msun ~]$ # docker run -it fluentd:0.14 ls -dZl /bin/bash
-rwxr-xr-x. 1 system_u:object_r:container_file_t:s0:c122,c942 root root 960632 Aug 3 2017 /bin/bash
[root@msun ~]$ #
So, the same container is denied in one node and permitted in another node. I think the denial on the failed node is not correct, container_t domain should be allowed to access file with container_file_t type.
Need the possible cause and suggestion how I can investigate the issue on the failed node?
