Nan Xiao's Blog

A system software / performance engineer's home

SELinux cause “Permission denied” issue in using docker

I am using docker on RHEL 7. After mounting host directory into container, some interesting things happen: Although I am a root user, and seem to have all permissions, but the system will prompt “Permission denied” when executing commands:

# docker run -v /root:/test --rm -it debian ls /test
ls: cannot open directory /test: Permission denied

Through tough investigations, I find the root cause is about SELinux:

# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28

The current mode of SELinux is enforcing, and I get 2 solutions to resolve it now:


Add --privileged option in docker run command:

# docker run --privileged -v /root:/test --rm -it debian ls /test
Desktop    Pictures   anaconda-ks.cfg
Documents  Public     database    
Downloads  Templates  docker-oracle12c      sysdig
Music      Videos     initial-setup-ks.cfg


Set SELinux mode as permissive:

# setenforce 0
# docker run -v /root:/test --rm -it debian ls /test
Desktop    Downloads  Pictures  Templates  anaconda-ks.cfg  docker-oracle12c  sysdig
Documents  Music      Public    Videos     database         initial-setup-ks.cfg

Why does docker prompt “Permission denied” when backing up the data volume?;
Why does docker container prompt “Permission denied”?.



Fix “TNS-01106: Listener using listener name LISTENER has already been started” error


How to count the line number of a file?


  1. Stanislav

    Very useful, thank you!

  2. Very useful thanks

  3. Ashutosh

    Did you try adding suffx ‘:z’ or ‘:Z’ to the volume mount?
    In your case, command would be
    docker run -v /root:/test:Z –rm -it debian ls /test

  4. This was helpful for me. Thanks!

    About adding ‘:z’ or ‘:Z’, I saw this thread and not sure if it’s the best way to do it.

    I ended up adding ‘–privileged’ so it would work across machines, and across restarts. “setenforce 0” has to be done on every machine, and doesn’t persist across restarts.

Leave a Reply

Powered by WordPress & Theme by Anders Norén