9:18 a.m.
On Thu, Nov 4, 2021 at 11:47 AM Daniel Walsh <dwalsh(a)redhat.com> wrote:
On 11/4/21 05:55, Leon N wrote:
Hey Tom,
By default, the host directories aren't SELinux labelled to be shared within a
container in rootless mode, SELinux will prevent access.
To share the host directories within containers you need to use ":z" whereas to
make a host directory private to a container you need to use ":Z"
For more clarity
https://blog.christophersmart.com/2021/01/31/podman-volumes-and-selinux/
Hope this helps
P.S: I'm no container expert
Here is what the Podman run man pages say about SELinux volume labeling.
```
Labeling Volume Mounts
Labeling systems like SELinux require that proper labels are placed on volume
content mounted into a container. Without a label, the security system might prevent the
processes running inside the container from using the con‐
tent. By default, Podman does not change the labels set by the OS.
To change a label in the container context, you can add either of two suffixes :z
or :Z to the volume mount. These suffixes tell Podman to relabel file objects on the
shared volumes. The z option tells Podman that two con‐
tainers share the volume content. As a result, Podman labels the content with
a shared content label. Shared volume labels allow all containers to read/write content.
The Z option tells Podman to label the content with a
private unshared label.
```
Here is what I wrote on the subject back in 2015.
https://projectatomic.io/blog/2015/06/using-volumes-with-docker-can-cause...
2018
https://opensource.com/article/18/2/understanding-selinux-labels-containe...
Podman and Docker will prevent users from attempting to relabel:
exclude_paths := map[string]bool{
"/": true,
"/bin": true,
"/boot": true,
"/dev": true,
"/etc": true,
"/etc/passwd": true,
"/etc/pki": true,
"/etc/shadow": true,
"/home": true,
"/lib": true,
"/lib64": true,
"/media": true,
"/opt": true,
"/proc": true,
"/root": true,
"/run": true,
"/sbin": true,
"/srv": true,
"/sys": true,
"/tmp": true,
"/usr": true,
"/var": true,
"/var/lib": true,
"/var/log": true,
}
It seems the "extreme caution" warning in the docker docs is
out-of-date because it explicitly refers to '/home' and '/usr'.
In troubleshooting.md file on github.com/containers/podman I also
cover this:
https://github.com/containers/podman/blob/main/troubleshooting.md#2-cant-...
Do you think we should expand our documentation on this?
The FUD came from the docker documentation.
Podman docs lead me to use the 'z'/'Z' options as the way to work with
SELinux.
So the docs are good.
Regards,
Leon.
On Thu, Nov 4, 2021 at 2:44 PM Tom Deseyn <tdeseyn(a)redhat.com> wrote:
>
> Hi friends of podman!
>
> I'm updating an application that uses docker to work with podman on Fedora.
> I run into the issue that the volumes are not accessible in the container.
>
> I can make it work by adding the 'z' option to place the proper labels
> on the content.
> Is this the right way to go about it?
>
> The docker documentation has some warnings ('use extreme caution') for
> these options. This is not mentioned in the podman docs. Does it work
> differently between podman and docker, so that the warning wouldn't
> apply to podman?
>
> Thanks,
>
> Tom
> _______________________________________________
> Podman mailing list -- podman(a)lists.podman.io
> To unsubscribe send an email to podman-leave(a)lists.podman.io
_______________________________________________
Podman mailing list -- podman(a)lists.podman.io
To unsubscribe send an email to podman-leave(a)lists.podman.io
_______________________________________________
Podman mailing list -- podman(a)lists.podman.io
To unsubscribe send an email to podman-leave(a)lists.podman.io