Skip to content

Commit

Permalink
Add some information about disabling SELinux when using system volumes
Browse files Browse the repository at this point in the history
A comment was made on internal mailing list about confusion on SELinux
labeling of volumes. This PR makes it a little more clear about when
you should or should not relabel.

We need a similar comment in podman pod create, but it does not support
--security-opt processing yet.

Signed-off-by: Daniel J Walsh <[email protected]>
  • Loading branch information
rhatdan authored and mheon committed Nov 12, 2021
1 parent 93a3e72 commit 2dc8db7
Show file tree
Hide file tree
Showing 3 changed files with 26 additions and 0 deletions.
8 changes: 8 additions & 0 deletions docs/source/markdown/podman-build.1.md
Original file line number Diff line number Diff line change
Expand Up @@ -774,6 +774,14 @@ content label. Shared volume labels allow all containers to read/write content.
The `Z` option tells Podman to label the content with a private unshared label.
Only the current container can use a private volume.

Note: Do not relabel system files and directories. Relabeling system content
might cause other confined services on your machine to fail. For these types
of containers, disabling SELinux separation is recommended. The option
`--security-opt label=disable` disables SELinux separation for the container.
For example, if a user wanted to volume mount their entire home directory into the build containers, they need to disable SELinux separation.

$ podman build --security-opt label=disable -v $HOME:/home/user .

`Overlay Volume Mounts`

The `:O` flag tells Podman to mount the directory from the host as a
Expand Down
9 changes: 9 additions & 0 deletions docs/source/markdown/podman-create.1.md
Original file line number Diff line number Diff line change
Expand Up @@ -1231,6 +1231,15 @@ content label. Shared volume labels allow all containers to read/write content.
The `Z` option tells Podman to label the content with a private unshared label.
Only the current container can use a private volume.

Note: Do not relabel system files and directories. Relabeling system content
might cause other confined services on your machine to fail. For these types
of containers we recommend that disable SELinux separation. The option
`--security-opt label=disable` disables SELinux separation for containers used in the build.
For example if a user wanted to volume mount their entire home directory into a
container, they need to disable SELinux separation.

$ podman create --security-opt label=disable -v $HOME:/home/user fedora touch /home/user/file

`Overlay Volume Mounts`

The `:O` flag tells Podman to mount the directory from the host as a
Expand Down
9 changes: 9 additions & 0 deletions docs/source/markdown/podman-run.1.md
Original file line number Diff line number Diff line change
Expand Up @@ -1288,6 +1288,15 @@ share the volume content. As a result, Podman labels the content with a shared
content label. Shared volume labels allow all containers to read/write content.
The **Z** option tells Podman to label the content with a private unshared label.

Note: Do not relabel system files and directories. Relabeling system content
might cause other confined services on your machine to fail. For these types
of containers we recommend that disable SELinux separation. The option
`--security-opt label=disable` disables SELinux separation for the container.
For example if a user wanted to volume mount their entire home directory into a
container, they need to disable SELinux separation.

$ podman run --security-opt label=disable -v $HOME:/home/user fedora touch /home/user/file

`Overlay Volume Mounts`

The `:O` flag tells Podman to mount the directory from the host as a
Expand Down

0 comments on commit 2dc8db7

Please sign in to comment.