SELinux cause “Permission denied” issue in using docker

I am using docker on RHEL 7. After mounting host directory into container, some interesting things happen: Although I am a root user, and seem to have all permissions, but the system will prompt “Permission denied” when executing commands:

# docker run -v /root:/test --rm -it debian ls /test
ls: cannot open directory /test: Permission denied

Through tough investigations, I find the root cause is about SELinux:

# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28

The current mode of SELinux is enforcing, and I get 2 solutions to resolve it now:

(1)

Add --privileged option in docker run command:

# docker run --privileged -v /root:/test --rm -it debian ls /test
Desktop    Pictures   anaconda-ks.cfg       linuxamd64_12102_database_1of2.zip
Documents  Public     database              linuxamd64_12102_database_2of2.zip
Downloads  Templates  docker-oracle12c      sysdig
Music      Videos     initial-setup-ks.cfg

(2)

Set SELinux mode as permissive:

# setenforce 0
# docker run -v /root:/test --rm -it debian ls /test
Desktop    Downloads  Pictures  Templates  anaconda-ks.cfg  docker-oracle12c      linuxamd64_12102_database_1of2.zip  sysdig
Documents  Music      Public    Videos     database         initial-setup-ks.cfg  linuxamd64_12102_database_2of2.zip

References:
Why does docker prompt “Permission denied” when backing up the data volume?;
Why does docker container prompt “Permission denied”?.

 

4 thoughts on “SELinux cause “Permission denied” issue in using docker

  1. Ashutosh

    Did you try adding suffx ‘:z’ or ‘:Z’ to the volume mount?
    In your case, command would be
    docker run -v /root:/test:Z –rm -it debian ls /test

    Reply
  2. Tri Nguyen

    This was helpful for me. Thanks!

    About adding ‘:z’ or ‘:Z’, I saw this thread https://github.com/moby/moby/issues/30934 and not sure if it’s the best way to do it.

    I ended up adding ‘–privileged’ so it would work across machines, and across restarts. “setenforce 0” has to be done on every machine, and doesn’t persist across restarts.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *