--- tags: - SELinuxcategories: - Linux - Containerdate:created: 2022-06-02# updated: 2024-01-19---
Podman Volumes and SELinux## SELinuxSecurity-Enhanced Linux (SELinux) is a security architecture for Linux systems that allows administrators to have greater control over who can access the system [What is SELinux?]. For a detailed description of SELinux, refer to SELinux Policies and Rules.¶
1. Problem IntroductionWhen Podman is running on a system with SELinux enabled and Volumes need to be mapped, permission issues will be encountered.¶
When running a podman container as a non-root account, files in the/home/user/directory may have the following context permissions:unconfined_u:object_r:data_home_t:s0, but podman volumes require such permissionssystem_u:object_r:container_file_t:s0to function properly.
Container volumes created by podman at runtime will automatically have the appropriate context set. However, for the/home/user/directory volume, podman does not change the context by default.
2. Auto Labelspodman provides two labels for modifying the security context at runtime::zand:Z¶
- Shared Labels- Private Labels Shared Labels allow multiple containers to access a volume at the same time; Private labels only allow specific containers to access the volume.
REF[1]. https://blog.christophersmart.com/2021/01/31/podman-volumes-and-selinux/¶
[2]. https://m-zhoujie2.gitbooks.io/-linux-devops-2/content/chapter3-10.html