opensource/podman
1
0
Fork 0
mirror of https://github.com/containers/podman.git synced 2025-05-20 08:36:23 +08:00
Code Issues Packages Projects Releases Wiki Activity

Add some information about disabling SELinux when using system volumes

Browse Source 
A comment was made on internal mailing list about confusion on SELinux
labeling of volumes. This PR makes it a little more clear about when
you should or should not relabel.

We need a similar comment in podman pod create, but it does not support
--security-opt processing yet.

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
This commit is contained in:
Daniel J Walsh
2021-11-04 04:14:12 -07:00
parent abbd6c167e
commit 4e8bf8be4b
3 changed files with 26 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
docs/source/markdown/podman-build.1.md
View File

@ -774,6 +774,14 @@ content label. Shared volume labels allow all containers to read/write content.
The `Z` option tells Podman to label the content with a private unshared label.
Only the current container can use a private volume.
Note: Do not relabel system files and directories. Relabeling system content
might cause other confined services on your machine to fail. For these types
of containers, disabling SELinux separation is recommended. The option
`--security-opt label=disable` disables SELinux separation for the container.
For example, if a user wanted to volume mount their entire home directory into the build containers, they need to disable SELinux separation.
$ podman build --security-opt label=disable -v $HOME:/home/user .
`Overlay Volume Mounts`
The `:O` flag tells Podman to mount the directory from the host as a

9
docs/source/markdown/podman-create.1.md
View File

@ -1249,6 +1249,15 @@ content label. Shared volume labels allow all containers to read/write content.
The `Z` option tells Podman to label the content with a private unshared label.
Only the current container can use a private volume.
Note: Do not relabel system files and directories. Relabeling system content
might cause other confined services on your machine to fail. For these types
of containers we recommend that disable SELinux separation. The option
`--security-opt label=disable` disables SELinux separation for containers used in the build.
For example if a user wanted to volume mount their entire home directory into a
container, they need to disable SELinux separation.
$ podman create --security-opt label=disable -v $HOME:/home/user fedora touch /home/user/file
`Overlay Volume Mounts`
The `:O` flag tells Podman to mount the directory from the host as a

9
docs/source/markdown/podman-run.1.md
View File

@ -1314,6 +1314,15 @@ share the volume content. As a result, Podman labels the content with a shared
content label. Shared volume labels allow all containers to read/write content.
The **Z** option tells Podman to label the content with a private unshared label.
Note: Do not relabel system files and directories. Relabeling system content
might cause other confined services on your machine to fail. For these types
of containers we recommend that disable SELinux separation. The option
`--security-opt label=disable` disables SELinux separation for the container.
For example if a user wanted to volume mount their entire home directory into a
container, they need to disable SELinux separation.
$ podman run --security-opt label=disable -v $HOME:/home/user fedora touch /home/user/file
`Overlay Volume Mounts`
The `:O` flag tells Podman to mount the directory from the host as a