Hi all,
I’m hoping someone can help clarify something I’ve run into after upgrading to Docker 28.x on a RHEL-based system with SELinux enforcing.
What I’m seeing:
- On Docker 27.x, named volumes (used for things like MariaDB UNIX sockets in mailcow) were labeled as
:s0(no MCS), and cross-container socket sharing worked fine with SELinux enforcing. - After upgrading to Docker 28.x, the same named volumes are now labeled with an MCS context (e.g.,
:s0:c123,c456), and SELinux blocks access from other containers with different MCS labels—even though the policy allowscontainer_tto accesscontainer_file_t. - The
:z/:Zoptions only seem to work for bind mounts, not named volumes (Docker docs), so I can’t use them to fix the labeling for named volumes.
I’m not sure if I’m missing something, if this is a new intentional security feature, or if there’s a recommended way to handle this.
I haven’t found any clear mention of this change in the Docker release notes or documentation, and I’m surprised because it seems like it would break a lot of multi-container setups that rely on shared UNIX sockets.
Has anyone else run into this, or is there any official info on this change?
Is there a way to control the MCS labeling for named volumes, or is switching to a bind mount with :z now the only option for SELinux enforcing setups?
Thanks for any clarification or pointers—just trying to understand if this is expected behavior or if I’m missing something obvious.
Paul