#Docker volumes and Selinux

By | July 7, 2017

When running complex environments on Docker on Linux again we face the mighty selinux.

There are plenty of selinux alerts generated when I start my environment when the host machines have selinux enabled and volumes are used by the containers.
Setting selinux permissions is hard and tedious and many people just prefer to disable it.

Recently Docker finally merged a patch in docker-1.7 that takes care of selinux permissions for you.
Docker (version 1.7 and up) now support for “z” and “Z” as options on the volume mounts (-v).

Using z

The above will automatically do:

Using Z

This will label the content inside the container with the exact MCS label that the container will run with, basically it runs:

where s0:c1,c2 differs for each container.

See original post for more details Using Volumes with Docker can Cause Problems with SELinux

Using the Z parameter in docker-compose

The Z parameter can be used then in docker-compose files to give permissions to data volumes or to configuration files:

Advertisements

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.