Hi friends of podman! I'm updating an application that uses docker to work with podman on Fedora. I run into the issue that the volumes are not accessible in the container. I can make it work by adding the 'z' option to place the proper labels on the content. Is this the right way to go about it? The docker documentation has some warnings ('use extreme caution') for these options. This is not mentioned in the podman docs. Does it work differently between podman and docker, so that the warning wouldn't apply to podman? Thanks, Tom _______________________________________________ Podman mailing list -- podman(a)lists.podman.io To unsubscribe send an email to podman-leave(a)lists.podman.io

On 11/4/21 05:55, Leon N wrote: Hey Tom, By default, the host directories aren't SELinux labelled to be shared within a container in rootless mode, SELinux will prevent access. To share the host directories within containers you need to use ":z" whereas to make a host directory private to a container you need to use ":Z" For more clarity https://blog.christophersmart.com/2021/01/31/podman-volumes-and-selinux/ Hope this helps P.S: I'm no container expert Here is what the Podman run man pages say about SELinux volume labeling. ``` Labeling Volume Mounts Labeling systems like SELinux require that proper labels are placed on volume content mounted into a container. Without a label, the security system might prevent the processes running inside the container from using the con‐ tent. By default, Podman does not change the labels set by the OS. To change a label in the container context, you can add either of two suffixes :z or :Z to the volume mount. These suffixes tell Podman to relabel file objects on the shared volumes. The z option tells Podman that two con‐ tainers share the volume content. As a result, Podman labels the content with a shared content label. Shared volume labels allow all containers to read/write content. The Z option tells Podman to label the content with a private unshared label. ``` Here is what I wrote on the subject back in 2015. https://projectatomic.io/blog/2015/06/using-volumes-with-docker-can-cause... 2018 https://opensource.com/article/18/2/understanding-selinux-labels-containe... Podman and Docker will prevent users from attempting to relabel: exclude_paths := map[string]bool{ "/": true, "/bin": true, "/boot": true, "/dev": true, "/etc": true, "/etc/passwd": true, "/etc/pki": true, "/etc/shadow": true, "/home": true, "/lib": true, "/lib64": true, "/media": true, "/opt": true, "/proc": true, "/root": true, "/run": true, "/sbin": true, "/srv": true, "/sys": true, "/tmp": true, "/usr": true, "/var": true, "/var/lib": true, "/var/log": true, }

In troubleshooting.md file on github.com/containers/podman I also cover this: https://github.com/containers/podman/blob/main/troubleshooting.md#2-cant-... Do you think we should expand our documentation on this?

Regards, Leon. On Thu, Nov 4, 2021 at 2:44 PM Tom Deseyn <tdeseyn(a)redhat.com&gt; wrote: > > Hi friends of podman! > > I'm updating an application that uses docker to work with podman on Fedora. > I run into the issue that the volumes are not accessible in the container. > > I can make it work by adding the 'z' option to place the proper labels > on the content. > Is this the right way to go about it? > > The docker documentation has some warnings ('use extreme caution') for > these options. This is not mentioned in the podman docs. Does it work > differently between podman and docker, so that the warning wouldn't > apply to podman? > > Thanks, > > Tom > _______________________________________________ > Podman mailing list -- podman(a)lists.podman.io > To unsubscribe send an email to podman-leave(a)lists.podman.io _______________________________________________ Podman mailing list -- podman(a)lists.podman.io To unsubscribe send an email to podman-leave(a)lists.podman.io _______________________________________________ Podman mailing list -- podman(a)lists.podman.io To unsubscribe send an email to podman-leave(a)lists.podman.io