diff options
author | Daniel J Walsh <dwalsh@redhat.com> | 2021-11-04 04:14:12 -0700 |
---|---|---|
committer | Daniel J Walsh <dwalsh@redhat.com> | 2021-11-06 05:47:52 -0400 |
commit | 4e8bf8be4b74b02cbfe46b089b94680c1627c3a0 (patch) | |
tree | a5e3ddced548075e98e0895cbb9d89db247d0e10 /docs | |
parent | abbd6c167e8163a711680db80137a0731e06e564 (diff) | |
download | podman-4e8bf8be4b74b02cbfe46b089b94680c1627c3a0.tar.gz podman-4e8bf8be4b74b02cbfe46b089b94680c1627c3a0.tar.bz2 podman-4e8bf8be4b74b02cbfe46b089b94680c1627c3a0.zip |
Add some information about disabling SELinux when using system volumes
A comment was made on internal mailing list about confusion on SELinux
labeling of volumes. This PR makes it a little more clear about when
you should or should not relabel.
We need a similar comment in podman pod create, but it does not support
--security-opt processing yet.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Diffstat (limited to 'docs')
-rw-r--r-- | docs/source/markdown/podman-build.1.md | 8 | ||||
-rw-r--r-- | docs/source/markdown/podman-create.1.md | 9 | ||||
-rw-r--r-- | docs/source/markdown/podman-run.1.md | 9 |
3 files changed, 26 insertions, 0 deletions
diff --git a/docs/source/markdown/podman-build.1.md b/docs/source/markdown/podman-build.1.md index 5a867c574..835df7693 100644 --- a/docs/source/markdown/podman-build.1.md +++ b/docs/source/markdown/podman-build.1.md @@ -774,6 +774,14 @@ content label. Shared volume labels allow all containers to read/write content. The `Z` option tells Podman to label the content with a private unshared label. Only the current container can use a private volume. +Note: Do not relabel system files and directories. Relabeling system content +might cause other confined services on your machine to fail. For these types +of containers, disabling SELinux separation is recommended. The option +`--security-opt label=disable` disables SELinux separation for the container. +For example, if a user wanted to volume mount their entire home directory into the build containers, they need to disable SELinux separation. + + $ podman build --security-opt label=disable -v $HOME:/home/user . + `Overlay Volume Mounts` The `:O` flag tells Podman to mount the directory from the host as a diff --git a/docs/source/markdown/podman-create.1.md b/docs/source/markdown/podman-create.1.md index 3ff736adb..9a37a1dd0 100644 --- a/docs/source/markdown/podman-create.1.md +++ b/docs/source/markdown/podman-create.1.md @@ -1249,6 +1249,15 @@ content label. Shared volume labels allow all containers to read/write content. The `Z` option tells Podman to label the content with a private unshared label. Only the current container can use a private volume. +Note: Do not relabel system files and directories. Relabeling system content +might cause other confined services on your machine to fail. For these types +of containers we recommend that disable SELinux separation. The option +`--security-opt label=disable` disables SELinux separation for containers used in the build. +For example if a user wanted to volume mount their entire home directory into a +container, they need to disable SELinux separation. + + $ podman create --security-opt label=disable -v $HOME:/home/user fedora touch /home/user/file + `Overlay Volume Mounts` The `:O` flag tells Podman to mount the directory from the host as a diff --git a/docs/source/markdown/podman-run.1.md b/docs/source/markdown/podman-run.1.md index a1170253f..ce1e86afe 100644 --- a/docs/source/markdown/podman-run.1.md +++ b/docs/source/markdown/podman-run.1.md @@ -1314,6 +1314,15 @@ share the volume content. As a result, Podman labels the content with a shared content label. Shared volume labels allow all containers to read/write content. The **Z** option tells Podman to label the content with a private unshared label. +Note: Do not relabel system files and directories. Relabeling system content +might cause other confined services on your machine to fail. For these types +of containers we recommend that disable SELinux separation. The option +`--security-opt label=disable` disables SELinux separation for the container. +For example if a user wanted to volume mount their entire home directory into a +container, they need to disable SELinux separation. + + $ podman run --security-opt label=disable -v $HOME:/home/user fedora touch /home/user/file + `Overlay Volume Mounts` The `:O` flag tells Podman to mount the directory from the host as a |