skip to Main Content

I have Docker on Centos7 with selinux set to enforcing on the host and Docker daemon is started with –selinux-enabled flag.

When I try to run the following command

docker run -it   -v /usr/local/xya/log:/usr/local/xya/log:z centos/systemd touch /usr/local/xya/log/test 

I get the following error:

docker: Error response from daemon: error setting label on mount source '/usr/local/xya/log': relabeling content in /usr is not allowed.

As per some articles (http://jaormx.github.io/2018/selinux-and-docker-notes/), the ‘z’ flag is supposed to make /usr writable; not sure if I am missing something.

Docker version 19.03.3, build a872fc2f86
CentOS version: CentOS Linux release 7.5.1804

2

Answers


  1. the image has no permission to edit or create new files in usr folder, from the Docs you may start the container with --privileged parameter

    Login or Signup to reply.
  2. I recently had a similar (albeit different issue), I found Juan’s SELinux and docker notes helpful.

    I’m having troubles finding the documentation that highlighted the following point, but I recall seeing it and was able to get around my issues by accepting it as truth. I will update it if/when I stumble across it again; Not everything within /usr or /etc will grant you write access in SELinux. At least not in the context of Docker.

    You can access the /etc and /usr directories within SELinux context, but you cannot obtain write everywhere, so z and Z will occasionally give you unable to label issues when spinning up docker containers with volume mounts from those locations. However, if you have SELinux protected files elsewhere, e.g. in a users home directory, you’d be able to have Docker relabel those files appropriately — that is you’d be able to write to those SELinux protected files/directories with the z or Z flags.

    If you need to write within the /usr or /etc directories and obtaining the unable to relabel alert, the --privileged flag or --security-opt label:disable flag should be instead of the z syntax. This would allow you to have write access, but you’d need to remove the z from your volume mount as Docker would still give you the unable to relabel statement.

    note, you can also invoke privileged in the docker-compose.yml via privileged: true for a given service

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search