While troubleshooting a Podman container on a RHEL 9 server running SELinux in enforcing mode, you notice that the application inside the container receives "permission denied" errors when it tries to write to a host directory that is bind-mounted with:
-v /srv/appdata:/data
The directory should remain private to this container-other containers must not be able to read or write the contents. Which change to the volume specification resolves the error and keeps the directory isolated without relaxing SELinux policy?
Append :z to the mount so it becomes -v /srv/appdata:/data:z.
Append :rw to the mount so it becomes -v /srv/appdata:/data:rw.
Add --security-opt label:disable to the run command to bypass SELinux checks.
Append :Z to the mount so it becomes -v /srv/appdata:/data:Z.
SELinux blocks access when a host path is mounted into a container unless the file labels match the container's expected types. Appending the suffix :Z to the volume tells Podman (or Docker) to relabel the files with a private, container-specific MLS/MCS label. This grants the calling container read/write access while preventing other containers from using the directory.
The lowercase :z also triggers relabeling, but it applies a shared label that intentionally allows any container to access the volume, so it does not meet the privacy requirement.
Adding :rw affects only traditional UNIX permissions; it does nothing to satisfy SELinux.
Disabling SELinux labeling with --security-opt label:disable would allow access, but it entirely removes SELinux protection for that directory, violating the requirement to keep the policy intact. Therefore, appending :Z is the correct solution.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What does appending :Z to a Podman volume mount do?
Open an interactive chat with Bash
What is the difference between :Z and :z in Podman volume mounts?
Open an interactive chat with Bash
Why does :rw not resolve SELinux-related container access issues?
Open an interactive chat with Bash
CompTIA Linux+ XK0-006 (V8)
Services and User Management
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
IT & Cybersecurity Package Join Premium for Full Access