What SELinux context is necessary for container volumes using podman or docker?

Issue

When running containers with bind-mounted volumes, files cannot be accessed due to file permission errors or AVC denials.
AVC denials may look like the following, where a write system call was denied due to permissions issues:

type=SYSCALL msg=audit(03/29/2024 08:22:06.394:389289) : arch=x86_64 syscall=pwrite success=no exit=EACCES(Permission denied) a0=0xa a1=0x7f95e9d74000 a2=0x200 a3=0x3000 items=0 ppid=3798922 pid=3798924 auid=docker uid=unknown(297607) gid=unknown(297606) euid=unknown(297607) suid=unknown(297607) fsuid=unknown(297607) egid=unknown(297606) sgid=unknown(297606) fsgid=unknown(297606) tty=(none) ses=1 comm=ib_log_writer exe=/usr/sbin/myprocess subj=system_u:system_r:container_t:s0:c33,c876 key=(null)

If SELinux is put into permissive mode with setenforce 0, containerized processes can access the files on the volumes without further AVC denials or issues.

Environment

Red Hat Enterprise Linux 7
Red Hat Enterprise Linux 8
Red Hat Enterprise Linux 9

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Select Your Language

What SELinux context is necessary for container volumes using podman or docker?

Issue

Environment

Subscriber exclusive content

Current Customers and Partners

New to Red Hat?

Using a Red Hat product through a public cloud?

Quick Links

Help

Site Info

Related Sites

About

Red Hat legal and privacy links

Red Hat legal and privacy links

Issue

Environment

Subscriber exclusive content

Current Customers and Partners

New to Red Hat?

Using a Red Hat product through a public cloud?

Quick Links

Help

Site Info

Related Sites

Systems Status

About

Red Hat legal and privacy links

Red Hat legal and privacy links