| 2020-02-17 11:55:38 |
Bernhard Reiter |
description |
I'm currently trying to use `docker-compose` (from the Docker snap; `whereis docker-compose` says `docker-compose: /snap/bin/docker-compose`; `snap info docker` says `installed: 18.09.9`) with a `docker-compose.yml` file that's in a subfolder of a hidden directory of my home folder (think `/home/me/.something/sha0123abc/docker-compose.yml`).
That fails with
.IOError: [Errno 13] Permission denied: '/home/me/.something/sha0123abc/docker-compose.yml'
Per https://stackoverflow.com/questions/53344380/errno-13-while-running-docker-compose-up, I ran
cat /var/log/syslog | tail -n 400
which gave
Feb 17 17:33:16 mylaptop kernel: [22167.704290] audit: type=1400 audit(1581939196.674:265): apparmor="DENIED" operation="open" profile="snap.docker.compose" name="/home/me/.something/sha0123abc/docker-compose.yml" pid=20209 comm="python2" requested_mask="r" denied_mask="r" fsuid=1001 ouid=1001
Feb 17 17:33:16 mylaptop kernel: [22167.704293] audit: type=1400 audit(1581939196.674:266): apparmor="DENIED" operation="open" profile="snap.docker.compose" name="/home/me/.something/sha0123abc/docker-compose.yml" pid=20209 comm="python2" requested_mask="r" denied_mask="r" fsuid=1001 ouid=1001
Things seem to work if I choose a location in a non-hidden directory instead.
However, this seems like a bug to me; I don't understand a lot about Snap's/AppArmor's privilege system, but shouldn't a Snap be able to access the contents of a hidden directory in my home folder?
The context for this is a build system that wraps docker-compose in an additional tool, which places its config files in a `.something` hidden directory in a user's home folder. More discussion here: https://github.com/WordPress/gutenberg/issues/20180 |
I'm currently trying to use `docker-compose` (from the Docker snap; `whereis docker-compose` says `docker-compose: /snap/bin/docker-compose`; `snap info docker` says `installed: 18.09.9`) with a `docker-compose.yml` file that's in a subfolder of a hidden directory of my home folder (think `/home/me/.something/sha0123abc/docker-compose.yml`).
That fails with
.IOError: [Errno 13] Permission denied: '/home/me/.something/sha0123abc/docker-compose.yml'
Per https://stackoverflow.com/questions/53344380/errno-13-while-running-docker-compose-up, I ran
cat /var/log/syslog | tail -n 400
which gave
Feb 17 17:33:16 mylaptop kernel: [22167.704290] audit: type=1400 audit(1581939196.674:265): apparmor="DENIED" operation="open" profile="snap.docker.compose" name="/home/me/.something/sha0123abc/docker-compose.yml" pid=20209 comm="python2" requested_mask="r" denied_mask="r" fsuid=1001 ouid=1001
Feb 17 17:33:16 mylaptop kernel: [22167.704293] audit: type=1400 audit(1581939196.674:266): apparmor="DENIED" operation="open" profile="snap.docker.compose" name="/home/me/.something/sha0123abc/docker-compose.yml" pid=20209 comm="python2" requested_mask="r" denied_mask="r" fsuid=1001 ouid=1001
Things seem to work if I choose a location in a non-hidden directory instead.
However, this seems like a bug to me; I don't understand a lot about Snap's/AppArmor's privilege system, but shouldn't a Snap be able to access the contents of a hidden directory in my home folder?
The context for this is a build system that wraps docker-compose in an additional tool, which places its config files in a `.something` hidden directory in a user's home folder. More discussion here: https://github.com/WordPress/gutenberg/issues/20180
Edit: I'm on Ubuntu 18.04.4 LTS |
|
