A Linux administrator is containerizing an internal web application with Podman. The application must be able to read and write user-generated files that live on the host at /srv/dbfiles, but no other container should ever have access to those files. The first test run was launched with:
podman run -d -v /srv/dbfiles:/var/lib/appdata mycorp/web:latest
The container started, but the application immediately logged "Permission denied" when trying to open files in /var/lib/appdata. Audit logs show SELinux AVC denials for /srv/dbfiles. Which modification to the run command will both fix the SELinux denial and keep the files private to this single container?
Replace the bind mount with a named volume created by podman volume create appdata
Add the :z option: -v /srv/dbfiles:/var/lib/appdata:z
Add the :Z option: -v /srv/dbfiles:/var/lib/appdata:Z
Make the mount read-only: -v /srv/dbfiles:/var/lib/appdata:ro
The SELinux policy on the host labels /srv/dbfiles with a type that ordinary containers cannot use. Adding the :Z suffix to the bind-mount (-v /srv/dbfiles:/var/lib/appdata:Z) tells Podman to relabel the directory with a private container_file_t type that only this one container can use. The relabeling eliminates the AVC denials while preventing other containers from accessing the same path.
:z also relabels, but with a shared label intended for volumes that will be mounted into multiple containers, so it does not meet the privacy requirement.
:ro makes the mount read-only and does not adjust SELinux labels, so the denial remains.
Creating a named volume and mounting it would still leave SELinux untouched unless it is explicitly relabeled; it also fails to satisfy the requirement to use the existing host directory.
Therefore, adding :Z is the correct solution.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What does the :Z option do in a Podman bind-mount?
Open an interactive chat with Bash
How is :z different from :Z in SELinux relabeling?
Open an interactive chat with Bash
Why doesn't using :ro or named volumes fix SELinux denials?
Open an interactive chat with Bash
CompTIA Linux+ XK0-006 (V8)
Services and User Management
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
IT & Cybersecurity Package Join Premium for Full Access