Docker Community Forums

Share and learn in the Docker community.

SELinux issue when images stored in /home

(Scaum) #1


First of all, sorry if this is a stupid question but I’ve been looking around for some time and cannot find a solution to my problem.

I have a web app I want to “dockerise” using sbt. I create the image using native-sbt-packager with docker:publishLocal and I can run it with
docker run -p 9000:9000 myapp:version.
However, docker was crating the image in /var/lib/docker which was filling my root partition pretty quickly (using fedora 27).

I added a deamon.json with the “graph” key and change the location to a folder in my /home directory. (/home/myuser/docker)

Since then, I’m having SELinux issue and cannot build or run images without first running
sudo setenforce 0
which seems to me like a REALLY BAD solution.

I eventually found a way to run the image without disabling SELinux, with the option
--security-opt label:disable
I’m still not sure this is the best solution but it seems a lot better.

However, I still cannot build the image without disabling SELinux as the --security-opt option cannot be set there.

If somebody ever run into this kind of issue and can help me, I would greatly appreciate it.

Once again, sorry if this is a stupid question, I’m pretty new to docker and not really a linux expert.

(Scaum) #2

I found a solution to my issue after a good night of sleep. Here is what I did if anyone has the same problem, and if this is a bad solution, please let me know.

Once i have my /home/myuser/docker folder created, added the “graph” key to my daemon.json et restarted docker, the /home/myuser/docker folder contains 9 additional folders (containers, image, network, etc…)
For each of this subfolders i ran the command
sudo chcon -R --reference=/var/lib/docker/subfolder /home/myuser/docker/subfolder
to copy the SELinux context.

I had to run the command for each subfolder as running
sudo chcon -R --reference=/var/lib/docker /home/myuser/docker
didn’t do the trick.

Once again I’m not a linux expert and even less a SELinux expert, so if this is a bad solution ffor any reason please let me know.