Document SELinux relabelling options and add warning #832
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -1590,6 +1590,23 @@ For example, you can specify either `/foo` or `foo` for a `host-src` value. | |
| If you supply the `/foo` value, Docker creates a bind mount. If you supply | ||
| the `foo` specification, Docker creates a named volume. | ||
|
|
||
| The `z` and `Z` modifiers will change the SELinux labels on the mount points. | ||
| The `z` option will make the files available to any container, using the `s0` label, | ||
| while the `Z` option will label the files with the same label as the container, so | ||
| that they are exclusive to that container. | ||
|
|
||
| WARNING Use of :z or :Z can have impacts on your system if used too broadly. | ||
| For example, the use of these options against a users HOME directory or other top | ||
| level system directory would result in the relabeling of those directories for use | ||
| by containers. There are some blacklisted paths, but this could cause issues such | ||
| as being unable to SSH back into a system. When using the relabel options, it should | ||
| only be used on directories that are intended for use by containers, and not the | ||
|
Contributor
There was a problem hiding this comment. sed s/intended/dedicated/g |
||
| host system itself. In most cases, such as shared access, it is better to label | ||
| in advance. If your container does require broader access to system directories, | ||
| then use of '--security-opt label:disable' with the 'docker run' command is a better | ||
|
Collaborator
There was a problem hiding this comment. Is this such a good thing to encourage?
Contributor
There was a problem hiding this comment. I swear we already have something about this in the docs, let me find it. Yes, here: https://docs.docker.com/storage/bind-mounts/#configure-the-selinux-label Perhaps you can just link to that instead of putting these docs here.
Member
There was a problem hiding this comment. oh, forgot about that; good point. @justincormack perhaps you can look at that section in the docs and see if anything is missing there? Then we can link to there
Contributor
There was a problem hiding this comment. If you need to give a container broad access to content in a homedirectory ar all of /var then it is better to disable SELinux protections in the container then to attempt to change the labels. Use the '--security-opt label:disable` ... |
||
| alternative. Note that using the above option instead will disable SELinux checks | ||
| for that container. | ||
|
|
||
| ### USER | ||
|
|
||
| `root` (id = 0) is the default user within a container. The image developer can | ||
|
|
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These do more then just modify the MCS Portion of the SELinux label. They modify the entire label to either
system_u:object_r:container_file_t:s0 or system_u:object_r:svirt_lxc_net_t:s0 (On RHEL/Centos, Hopefully fixed in RHEL7.5)