You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Sorry if this is a basic or misplaced question—this is a pretty deep topic and I’m just trying to understand what’s going on. If this belongs somewhere else, please let me know!
I’ve been running mailcow (a Dockerized mail server stack) on Rocky Linux 9.5 with SELinux enforcing. I noticed that after upgrading Docker (from 27.x to 28.x), things that used to work with named volumes and SELinux suddenly started failing, especially when containers try to share UNIX sockets (like MariaDB’s mysqld.sock).
Here’s what I’ve observed:
On my old setup (Docker 27.x), named volumes were labeled with container_file_t:s0 (no MCS), and containers could share files over a named volume even with SELinux enforcing.
On my new setup (Docker 28.x), new named volumes are labeled with the container’s MCS context (e.g., container_file_t:s0:c123,c456). This seems to block cross-container sharing unless the MCS matches, which isn’t the case for most Compose setups.
I’ve tried to read up on this, but honestly, I’m a bit lost:
I checked Docker, containerd, and container-selinux release notes and changelogs, but didn’t find anything about this change.
I know that bind mounts with :z/:Z are the working way to share files between containers with SELinux, but I’m specifically wondering about named volumes and if this new behavior is intentional.
So, my questions:
Did Docker (or containerd, or something else) change how named volumes are labeled with SELinux MCS?
If so, when did this happen, and is it documented anywhere?
Is there any way to control this, or is using bind mounts with :z now the only way to share files between containers with SELinux enforcing?
Sorry if I’m missing something obvious—this is a bit over my head, but I wanted to start here in case others have run into the same thing. If this is better suited for another repo or forum, just let me know!
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
-
Hi everyone,
Sorry if this is a basic or misplaced question—this is a pretty deep topic and I’m just trying to understand what’s going on. If this belongs somewhere else, please let me know!
I’ve been running mailcow (a Dockerized mail server stack) on Rocky Linux 9.5 with SELinux enforcing. I noticed that after upgrading Docker (from 27.x to 28.x), things that used to work with named volumes and SELinux suddenly started failing, especially when containers try to share UNIX sockets (like MariaDB’s
mysqld.sock
).Here’s what I’ve observed:
container_file_t:s0
(no MCS), and containers could share files over a named volume even with SELinux enforcing.container_file_t:s0:c123,c456
). This seems to block cross-container sharing unless the MCS matches, which isn’t the case for most Compose setups.I’ve tried to read up on this, but honestly, I’m a bit lost:
:z
/:Z
are the working way to share files between containers with SELinux, but I’m specifically wondering about named volumes and if this new behavior is intentional.So, my questions:
:z
now the only way to share files between containers with SELinux enforcing?Sorry if I’m missing something obvious—this is a bit over my head, but I wanted to start here in case others have run into the same thing. If this is better suited for another repo or forum, just let me know!
Thanks so much for any help or pointers!
Beta Was this translation helpful? Give feedback.
All reactions