aboutsummaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
authorDaniel J Walsh <dwalsh@redhat.com>2021-11-04 04:14:12 -0700
committerDaniel J Walsh <dwalsh@redhat.com>2021-11-06 05:47:52 -0400
commit4e8bf8be4b74b02cbfe46b089b94680c1627c3a0 (patch)
treea5e3ddced548075e98e0895cbb9d89db247d0e10 /docs
parentabbd6c167e8163a711680db80137a0731e06e564 (diff)
downloadpodman-4e8bf8be4b74b02cbfe46b089b94680c1627c3a0.tar.gz
podman-4e8bf8be4b74b02cbfe46b089b94680c1627c3a0.tar.bz2
podman-4e8bf8be4b74b02cbfe46b089b94680c1627c3a0.zip
Add some information about disabling SELinux when using system volumes
A comment was made on internal mailing list about confusion on SELinux labeling of volumes. This PR makes it a little more clear about when you should or should not relabel. We need a similar comment in podman pod create, but it does not support --security-opt processing yet. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Diffstat (limited to 'docs')
-rw-r--r--docs/source/markdown/podman-build.1.md8
-rw-r--r--docs/source/markdown/podman-create.1.md9
-rw-r--r--docs/source/markdown/podman-run.1.md9
3 files changed, 26 insertions, 0 deletions
diff --git a/docs/source/markdown/podman-build.1.md b/docs/source/markdown/podman-build.1.md
index 5a867c574..835df7693 100644
--- a/docs/source/markdown/podman-build.1.md
+++ b/docs/source/markdown/podman-build.1.md
@@ -774,6 +774,14 @@ content label. Shared volume labels allow all containers to read/write content.
The `Z` option tells Podman to label the content with a private unshared label.
Only the current container can use a private volume.
+Note: Do not relabel system files and directories. Relabeling system content
+might cause other confined services on your machine to fail. For these types
+of containers, disabling SELinux separation is recommended. The option
+`--security-opt label=disable` disables SELinux separation for the container.
+For example, if a user wanted to volume mount their entire home directory into the build containers, they need to disable SELinux separation.
+
+ $ podman build --security-opt label=disable -v $HOME:/home/user .
+
`Overlay Volume Mounts`
The `:O` flag tells Podman to mount the directory from the host as a
diff --git a/docs/source/markdown/podman-create.1.md b/docs/source/markdown/podman-create.1.md
index 3ff736adb..9a37a1dd0 100644
--- a/docs/source/markdown/podman-create.1.md
+++ b/docs/source/markdown/podman-create.1.md
@@ -1249,6 +1249,15 @@ content label. Shared volume labels allow all containers to read/write content.
The `Z` option tells Podman to label the content with a private unshared label.
Only the current container can use a private volume.
+Note: Do not relabel system files and directories. Relabeling system content
+might cause other confined services on your machine to fail. For these types
+of containers we recommend that disable SELinux separation. The option
+`--security-opt label=disable` disables SELinux separation for containers used in the build.
+For example if a user wanted to volume mount their entire home directory into a
+container, they need to disable SELinux separation.
+
+ $ podman create --security-opt label=disable -v $HOME:/home/user fedora touch /home/user/file
+
`Overlay Volume Mounts`
The `:O` flag tells Podman to mount the directory from the host as a
diff --git a/docs/source/markdown/podman-run.1.md b/docs/source/markdown/podman-run.1.md
index a1170253f..ce1e86afe 100644
--- a/docs/source/markdown/podman-run.1.md
+++ b/docs/source/markdown/podman-run.1.md
@@ -1314,6 +1314,15 @@ share the volume content. As a result, Podman labels the content with a shared
content label. Shared volume labels allow all containers to read/write content.
The **Z** option tells Podman to label the content with a private unshared label.
+Note: Do not relabel system files and directories. Relabeling system content
+might cause other confined services on your machine to fail. For these types
+of containers we recommend that disable SELinux separation. The option
+`--security-opt label=disable` disables SELinux separation for the container.
+For example if a user wanted to volume mount their entire home directory into a
+container, they need to disable SELinux separation.
+
+ $ podman run --security-opt label=disable -v $HOME:/home/user fedora touch /home/user/file
+
`Overlay Volume Mounts`
The `:O` flag tells Podman to mount the directory from the host as a