Hey Tom,

By default, the host directories aren't SELinux labelled to be shared within a container in rootless mode, SELinux will prevent access.

To share the host directories within containers you need to use ":z" whereas to make a host directory private to a container you need to use ":Z"

For more clarity

https://blog.christophersmart.com/2021/01/31/podman-volumes-and-selinux/

Hope this helps

P.S: I'm no container expert

Here is what the Podman run man pages say about SELinux volume labeling.

```

       Labeling Volume Mounts

       Labeling systems like SELinux require that proper labels are placed on volume content mounted into a container. Without a label, the security system might prevent the processes running inside the container from using the con‐
       tent. By default, Podman does not change the labels set by the OS.

       To change a label in the container context, you can add either of two suffixes :z or :Z to the volume mount. These suffixes tell Podman to relabel file objects on the shared volumes. The z option tells Podman  that  two  con‐
       tainers  share  the  volume  content. As a result, Podman labels the content with a shared content label. Shared volume labels allow all containers to read/write content.  The Z option tells Podman to label the content with a
       private unshared label.

```

Here is what I wrote on the subject back in 2015.

https://projectatomic.io/blog/2015/06/using-volumes-with-docker-can-cause-problems-with-selinux/

2018

https://opensource.com/article/18/2/understanding-selinux-labels-container-runtimes

Podman and Docker will prevent users from attempting to relabel:

    exclude_paths := map[string]bool{
        "/":           true,
        "/bin":        true,
        "/boot":       true,
        "/dev":        true,
        "/etc":        true,
        "/etc/passwd": true,
        "/etc/pki":    true,
        "/etc/shadow": true,
        "/home":       true,
        "/lib":        true,
        "/lib64":      true,
        "/media":      true,
        "/opt":        true,
        "/proc":       true,
        "/root":       true,
        "/run":        true,
        "/sbin":       true,
        "/srv":        true,
        "/sys":        true,
        "/tmp":        true,
        "/usr":        true,
        "/var":        true,
        "/var/lib":    true,
        "/var/log":    true,
    }

In troubleshooting.md file on  github.com/containers/podman I also cover this:

https://github.com/containers/podman/blob/main/troubleshooting.md#2-cant-use-volume-mount-get-permission-denied

Do you think we should expand our documentation on this?

Regards,

Leon.

On Thu, Nov 4, 2021 at 2:44 PM Tom Deseyn <tdeseyn@redhat.com> wrote:

Hi friends of podman!

I'm updating an application that uses docker to work with podman on Fedora.
I run into the issue that the volumes are not accessible in the container.

I can make it work by adding the 'z' option to place the proper labels
on the content.
Is this the right way to go about it?

The docker documentation has some warnings ('use extreme caution') for
these options. This is not mentioned in the podman docs. Does it work
differently between podman and docker, so that the warning wouldn't
apply to podman?

Thanks,

Tom
_______________________________________________
Podman mailing list -- podman@lists.podman.io
To unsubscribe send an email to podman-leave@lists.podman.io

_______________________________________________
Podman mailing list -- podman@lists.podman.io
To unsubscribe send an email to podman-leave@lists.podman.io