A CentOS Stream 9 server is running Docker with SELinux in enforcing mode. Two different containers must share read-write access to the same host directory /var/shared. The first container is started with:
docker run -d --name app1 \
-v /var/shared:/data centos:9
When a second container is launched with the identical -v /var/shared:/data option, every attempt to write to /data inside the container fails with "Permission denied". Which single change to the volume mount will ensure that SELinux relabels the directory so that both containers can read and write the shared data?
Make the bind mount read-only with :ro ( -v /var/shared:/data:ro )
Add the :z suffix to the volume specification ( -v /var/shared:/data:z )
Specify :rw on the mount ( -v /var/shared:/data:rw )
Add the :Z suffix to the volume specification ( -v /var/shared:/data:Z )
SELinux assigns a unique multi-category security (MCS) label to every container. When a host directory is bind-mounted without additional options, the directory keeps its original host label, so it is only accessible to the first container whose label matches. Appending ":z" to the bind-mount specification tells Docker (and other OCI engines) to relabel the directory with a shared SELinux label (type container_file_t with no MCS categories). Because this label is considered shared, any subsequent container that mounts the directory with the same :z option will have its processes allowed to read and write the files.
The ":Z" option creates a private, unshared label that prevents other containers from accessing the directory; it would not solve the problem. The ":ro" option makes the mount read-only, and ":rw" is the default and does not affect SELinux labeling. Therefore, using :z is the correct way to allow multiple containers concurrent read/write access when SELinux is enforcing.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What does the ':z' suffix do in Docker volume mounts?
Open an interactive chat with Bash
What is the difference between ':z' and ':Z' in Docker volume mounts?
Open an interactive chat with Bash
Why does SELinux enforce labeling for Docker container file access?
Open an interactive chat with Bash
CompTIA Linux+ XK0-006 (V8)
Services and User Management
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
IT & Cybersecurity Package Join Premium for Full Access