Merge pull request containers#12172 from rhatdan/man

[CI:DOCS] Add some information about disabling SELinux when using system volumes
Luap99 · Nov 8, 2021 · d6ef903 · d6ef903
2 parents 865653b + 4e8bf8b
commit d6ef903
Show file tree

Hide file tree

Showing 3 changed files with 26 additions and 0 deletions.
diff --git a/docs/source/markdown/podman-build.1.md b/docs/source/markdown/podman-build.1.md
@@ -774,6 +774,14 @@ content label. Shared volume labels allow all containers to read/write content.
 The `Z` option tells Podman to label the content with a private unshared label.
 Only the current container can use a private volume.
 
+Note: Do not relabel system files and directories. Relabeling system content
+might cause other confined services on your machine to fail.  For these types
+of containers, disabling SELinux separation is recommended.  The option
+`--security-opt label=disable` disables SELinux separation for the container.
+For example, if a user wanted to volume mount their entire home directory into the build containers, they need to disable SELinux separation.
+
+	   $ podman build --security-opt label=disable -v $HOME:/home/user .
+
   `Overlay Volume Mounts`
 
    The `:O` flag tells Podman to mount the directory from the host as a

diff --git a/docs/source/markdown/podman-create.1.md b/docs/source/markdown/podman-create.1.md
@@ -1249,6 +1249,15 @@ content label. Shared volume labels allow all containers to read/write content.
 The `Z` option tells Podman to label the content with a private unshared label.
 Only the current container can use a private volume.
 
+Note: Do not relabel system files and directories. Relabeling system content
+might cause other confined services on your machine to fail.  For these types
+of containers we recommend that disable SELinux separation.  The option
+`--security-opt label=disable` disables SELinux separation for containers used in the build.
+For example if a user wanted to volume mount their entire home directory into a
+container, they need to disable SELinux separation.
+
+	   $ podman create --security-opt label=disable -v $HOME:/home/user fedora touch /home/user/file
+
   `Overlay Volume Mounts`
 
    The `:O` flag tells Podman to mount the directory from the host as a

diff --git a/docs/source/markdown/podman-run.1.md b/docs/source/markdown/podman-run.1.md
@@ -1314,6 +1314,15 @@ share the volume content. As a result, Podman labels the content with a shared
 content label. Shared volume labels allow all containers to read/write content.
 The **Z** option tells Podman to label the content with a private unshared label.
 
+Note: Do not relabel system files and directories. Relabeling system content
+might cause other confined services on your machine to fail.  For these types
+of containers we recommend that disable SELinux separation.  The option
+`--security-opt label=disable` disables SELinux separation for the container.
+For example if a user wanted to volume mount their entire home directory into a
+container, they need to disable SELinux separation.
+
+	   $ podman run --security-opt label=disable -v $HOME:/home/user fedora touch /home/user/file
+
   `Overlay Volume Mounts`
 
    The `:O` flag tells Podman to mount the directory from the host as a