Here is what I do:
$ docker run -it --rm tomcat:8.5-alpine sh
/usr/local/tomcat # adduser -D -g '' -u 1000 user
/usr/local/tomcat # chown -R user:user $CATALINA_HOME
/usr/local/tomcat # su user -c 'catalina.sh run'
sh: catalina.sh: Permission denied
/usr/local/tomcat # echo $CATALINA_HOME
/usr/local/tomcat
/usr/local/tomcat # ls -la $CATALINA_HOME
total 128
drwxr-xr-x 20 user user 4096 Dec 4 00:47 .
drwxr-xr-x 10 root root 4096 Dec 4 00:47 ..
-rw-r----- 1 user user 57092 Nov 3 21:16 LICENSE
-rw-r----- 1 user user 1723 Nov 3 21:16 NOTICE
-rw-r----- 1 user user 7063 Nov 3 21:16 RELEASE-NOTES
-rw-r----- 1 user user 15946 Nov 3 21:16 RUNNING.txt
drwxr-x--- 2 user user 4096 Dec 4 00:47 bin
drwx------ 2 user user 4096 Dec 4 00:47 conf
drwxr-xr-x 4 user user 4096 Dec 4 00:47 include
drwxr-x--- 2 user user 4096 Dec 4 00:47 lib
drwxr-x--- 2 user user 4096 Nov 3 21:14 logs
drwxr-xr-x 4 user user 4096 Dec 4 00:47 native-jni-lib
drwxr-x--- 2 user user 4096 Dec 4 00:47 temp
drwxr-x--- 12 user user 4096 Dec 4 00:47 webapps
drwxr-x--- 2 user user 4096 Nov 3 21:14 work
/usr/local/tomcat # su user -c 'ls -la /usr/local/tomcat/bin'
ls: can't open '/usr/local/tomcat/bin': Permission denied
total 0
/usr/local/tomcat # su user -c 'ls -la /usr/local/tomcat/include'
total 12
drwxr-xr-x 4 user user 4096 Dec 4 00:47 .
drwxr-xr-x 20 user user 4096 Dec 4 00:47 ..
drwxr-xr-x 2 user user 4096 Nov 17 23:45 apr-1
I don't understand why my new created user user can't access to /usr/local/tomcat/bin whereas he can access to /usr/local/tomcat/include: user has all user's & group's rights over this bin folder...
I've got the same results if I lauch docker with --privileged=true (docker run --privileged=true -it --rm tomcat:8.5-alpine sh), and this Docker image doesn't seem to use SELinux as su -c "setenforce 0" gives the error ash: setenforce: not found.
I'm using Docker version 1.12.3, build 6b644ec on Ubuntu 14.04.5 LTS.
Is this corresponding to a bug in Docker with AUFS driver?
