Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

With SELinux, you have to append :z to volumes #368

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

With SELinux, you have to append :z to volumes #368

wants to merge 1 commit into from

Conversation

vonbrand
Copy link
Contributor

@vonbrand vonbrand commented Apr 6, 2021

No description provided.

pvalena
pvalena requested changes Apr 7, 2021
View reviewed changes
Copy link
Contributor

@pvalena pvalena left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR!
Please see the respective comments.

tools/docker/compose.md
links:
- db
db:
image: fedora-postgresql
volumes:
- ./db:/var/lib/pgsql/data
- ./db:/var/lib/pgsql/data:z
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If I understand it correctly, this is for sharing between containers, right? (:z -> correct)

FYI: for sharing outside of container, you need capital :Z.

tools/docker/compose.md
@@ -79,13 +79,12 @@ web:
ports:
- "8000:8000"
volumes:
- ./awesome_web:/code
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You've removed the volume share altogether. Can you elaborate?

@pvalena pvalena self-assigned this Jun 2, 2021
@renich
Copy link
Contributor

renich commented Mar 11, 2022
edited
Loading

It should be noted that :z and :Z have different behaviors:

Labeling Volume Mounts

Labeling systems like SELinux require that proper labels are placed on volume content mounted into a container. Without a label, the security system might prevent the processes running inside the container from using the content. By default, Podman does not change the labels set by the OS.

To change a label in the container context, you can add either of two suffixes :z or :Z to the volume mount. These suffixes tell Podman to relabel file objects on the shared volumes. The z option tells Podman that two containers share the volume content. As a result, Podman labels the content with a shared content label. Shared volume labels allow all containers to read/write content. The Z option tells Podman to label the content with a private unshared label.

Note: Do not relabel system files and directories. Relabeling system content might cause other confined services on your machine to fail. For these types of containers we recommend disabling SELinux separation. The option --security-opt label=disable disables SELinux separation for the container. For example if a user wanted to volume mount their entire home directory into a container, they need to disable SELinux separation.

https://docs.podman.io/en/latest/markdown/podman-run.1.html

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pvalena pvalena pvalena requested changes

Assignees

@pvalena pvalena

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@vonbrand @renich @pvalena