Hi everyone,

Sorry if this is a basic or misplaced question—this is a pretty deep topic and I’m just trying to understand what’s going on. If this belongs somewhere else, please let me know!

I’ve been running mailcow (a Dockerized mail server stack) on Rocky Linux 9.5 with SELinux enforcing. I noticed that after upgrading Docker (from 27.x to 28.x), things that used to work with named volumes and SELinux suddenly started failing, especially when containers try to share UNIX sockets (like MariaDB’s mysqld.sock).

Here’s what I’ve observed:

• On my old setup (Docker 27.x), named volumes were labeled with container_file_t:s0 (no MCS), and containers could share files over a named volume even with SELinux enforcing.
• On my new setup (Docker 28.x), new named volumes are labeled with the container’s MCS context (e.g., container_file_t:s0:c123,c456). This seems to block cross-container sharing unless the MCS matches, which isn’t the case for most Compose setups.

I’ve tried to read up on this, but honestly, I’m a bit lost:

• I checked Docker, containerd, and container-selinux release notes and changelogs, but didn’t find anything about this change.
• I know that bind mounts with :z/:Z are the working way to share files between containers with SELinux, but I’m specifically wondering about named volumes and if this new behavior is intentional.

So, my questions:

• Did Docker (or containerd, or something else) change how named volumes are labeled with SELinux MCS?
• If so, when did this happen, and is it documented anywhere?
• Is there any way to control this, or is using bind mounts with :z now the only way to share files between containers with SELinux enforcing?

Sorry if I’m missing something obvious—this is a bit over my head, but I wanted to start here in case others have run into the same thing. If this is better suited for another repo or forum, just let me know!

Thanks so much for any help or pointers!