Reputation: 981
Managing the selinux context of a file created on the host via a Docker container's volume
I ran through the fig python / django tutorial on Fedora 20 (docker 1.0.0) but it failed & tripped an AVC denial in SELinux when django-admin.py attempted to create the project files.
I reviewed the policy, i can see that setting the docker_var_lib_t context on my code dir would permit docker to write there (although i've just spied docker_share_t in the policy, that looks a better fit permissions wise - no chr / blk devices in that context).
Code directory locations are not predictable so setting a system wide policy (via semanage fcontext) doesn't seem the best way forward; i'd need to introduce some kind of convention.
Is there any way to automatically set this context on volumes mounted from a host?
Upvotes: 4
Views: 1243
Answers (1)
Reputation: 69
You can set the following context on the directory
chcon -Rt svirt_sandbox_file_t $HOME/code/export
then run your docker command as
docker run --rm -it -v $HOME/code/export:/exported:ro image /foo/bar
Upvotes: 2
Related Questions
- Docker-compose: using with selinux
- Access to docker.socket using SELinux in FCOS
- Docker with selinux enabled - relabeling content in /usr is not allowed
- Docker mount host dir as read-only with correct SELinux label
- How to audit the selinux denial inside a docker container
- Docker container receives permission denied in mounts
- How do I create and use a specific SELinux policy for a specific container?
- Docker Run With SELinux on ubuntu Constrain violation
- Docker container not showing volume mounted - Access issue
- `docker run ubuntu:14.04 /bin/echo` produces SELinux error on Fedora 20