Monday, June 5, 2017

[En] Mounting directory inside container and SELinux

Picture from www.docker.com
Using CoreOS for daily basic sometimes lull you in a false sense of security. Everything or almost everything is working and you don't care what is behind the magic. Switching the system from time to time could be painful. Especially when you come back to CentOS or RHEL and you don't want to disable SELinux. Below one of problems that you can hit when you mount folder inside container.

Problem was quite trivial:
I would like to run the docker that will map the journal folder (/run/systemd/journal) as a docker volume for my image. Unfortunately after ran:
docker run \
  -v /run/systemd/journal:/run/systemd/journal:ro \
  --name journal-test
I've got a Permission denied in the journalctl. Fortunately in man for docker-run everything is very clearly described:
So the solution was to run docker with the :z option provided:
docker run \
  -v /run/systemd/journal:/run/systemd/journal:ro,z \
  --name journal-test
Please remember that the ro and z should be separated by comma.
After some more investigation I found the post created by SELinux guru Using Volumes with Docker can Cause Problems with SELinux. There is quite nice explanation of labels used by the docker and how the suffix :z and :Z works.