#Docker volumes and Selinux

By | July 7, 2017

When running complex environments on Docker on Linux again we face the mighty selinux.

There are plenty of selinux alerts generated when I start my environment when the host machines have selinux enabled and volumes are used by the containers.
Setting selinux permissions is hard a tedious and many people just prefer to disable it.

Recently Docker finally merged a patch in docker-1.7 that takes care of selinux permissions for you.
Docker (version 1.7 and up) now support for “z” and “Z” as options on the volume mounts (-v).

Using z

The above will automatically do:

Using Z

This will label the content inside the container with the exact MCS label that the container will run with, basically it runs:

where s0:c1,c2 differs for each container.

See original post for more details Using Volumes with Docker can Cause Problems with SELinux

Using the Z parameter in docker-compose

The Z parameter can be used then in docker-compose files to give permissions to data volumes or to configuration files: