The Dream
Running Docker services on SELinux-enabled systems like Fedora can be challenging due to security policies. This tutorial shows you how to properly configure Docker Compose services to work seamlessly with SELinux.
Understanding SELinux and Docker
SELinux (Security-Enhanced Linux) provides mandatory access control that can block Docker containers from accessing host resources. Instead of disabling SELinux, we’ll configure it correctly.
Prerequisites
- Fedora or RHEL-based system with SELinux enabled
- Docker and Docker Compose installed
- Basic understanding of Docker volumes
Setting Up Volume Labels
When mounting volumes in your docker-compose.yml, add the :z or :Z suffix:
volumes:
- ./data:/app/data:z:z- Shared volume label (multiple containers can access):Z- Private volume label (single container access)
Example Configuration
Here’s a complete example:
version: '3.8'
services:
web:
image: nginx:latest
ports:
- "80:80"
volumes:
- ./html:/usr/share/nginx/html:z
- ./config:/etc/nginx/conf.d:zTroubleshooting
If you encounter permission denied errors:
# Check SELinux status
getenforce
# View SELinux denials
sudo ausearch -m avc -ts recent
# Allow specific access (if needed)
sudo semanage fcontext -a -t container_file_t "/path/to/data(/.*)?"
sudo restorecon -Rv /path/to/dataBest Practices
- Always use volume labels (
:zor:Z) in compose files - Use
:zfor shared volumes accessed by multiple containers - Use
:Zfor volumes accessed by a single container - Never disable SELinux in production
- Review SELinux logs regularly
Conclusion
With proper volume labeling, Docker and SELinux work together seamlessly, providing both convenience and security.