CentOS 7.5 & Docker: "SELinux relabeling of is not allowed" for named volume but not path volume

So I have three CentOS 7.5 servers running Docker. They’re in a Docker Swarm together. All are masters/workers.

When I try to run any container with a specified named volume, I get this error:

SELinux relabeling of is not allowed

The “of is” implies to me it doesn’t know what it’s trying to relabel, but considering this only happens when I specify a named volume to mount, like so:

-v portainer_data:/data

I imagine the path that should be there is almost certainly whatever that named volume is. This works fine when I specify the path, like so:

-v /var/lib/docker/volumes/portainer_portainer_data/_data:/data

Which is where it’d be going anyway.

# docker volume inspect portainer_portainer_data
[
    {
        "Driver": "local",
        "Labels": {
            "com.docker.stack.namespace": "portainer"
        },
        "Mountpoint": "/var/lib/docker/volumes/portainer_portainer_data/_data",
        "Name": "portainer_portainer_data",
        "Options": {},
        "Scope": "local"
    }
]

But that isn’t the same named volume?

That’s how Stacks work in Docker Swarm. The volume name is prepended with the stack name. So I can have two stacks, portainer and portainer_2 and it will create two separate volume portainer_portainer_data and portainer_2_portainer_data to prevent collisions between volume names in different stacks. So specifying -v portainer_data for a stack called portainer will resolve to portainer_portainer_dataas the volume.

I’ve tried doing this -v portainer_data:/data:z and -v portainer_data:/data:Z

Same error. I’ve tried doing this:

chcon -Rt svirt_sandbox_file_t /var/lib/docker/volumes/
chcon -Rt svirt_sandbox_file_t /var/lib/docker/volumes/portainer_portainer_data
chcon -Rt svirt_sandbox_file_t /var/lib/docker/volumes/portainer_portainer_data/_data

I realize -R is recursive, but after doing each, I tried starting the service, and it still resulted in the error.

The reason I want to use a named volume is because Swarm syncs them (AFAICT based on documentation), and I don’t think it does this with a specified path? Not 100% on that tbh, the documentation wasn’t very explicit in saying so for either format.

How can I make this happen without disabling SElinux? Google is failing me in that I found an RHEL 7.5 page for it, but I’d have to be a subscriber and I’m not. And there are no other found instances of this error that specify a way to solve it.

1 Like

Do you have the link?

https://access.redhat.com/solutions/3431231

You can register for free with RHEL here:

https://developers.redhat.com/auth/realms/rhd/protocol/openid-connect/registrations?client_id=web&redirect_uri=https%3A%2F%2Fdevelopers.redhat.com%2F%2Fconfirmation&state=b7e55c1f-99ab-46b7-a0f3-8fe503ced8f6&nonce=8c7dcc33-fb95-49d5-9167-09ddf8fea829&response_mode=fragment&response_type=code

1 Like

That worked, thanks.

sees your PM

:rage:

Edit:

I solved this issue by updating to Community Edition 18.03.

It’s a bug specifically for CentOS 7.5 and Docker 1.13 together. Weird. Doesn’t happen on other distros for Docker 1.13, and doesn’t happen on CentOS 7.5 with CE 18.03.