~/Docker Volume Mount SELinux Z Options Explained

May 22, 2020

The Docker engine added support for SELinux (z and Z) volume mount options making container filesystem security management easier.

The z option tells Docker to relabel shared host directories using the svirt_sandbox_file_t SELinux type, so containers use the correct labels:

1

docker run -v /var/db:/var/db:z rhel7 /bin/sh

This is the equivalent of running

1

chcon -Rt svirt_sandbox_file_t /var/db

manually.

The Z option is stricter, giving each container a unique MCS label. For example:

1

docker run -v /var/db:/var/db:Z rhel7 /bin/sh

This relabels /var/db with types like s0:c1,c2 based on the container id, isolating shared resources. This is comparable to:

1

chcon -Rt svirt_sandbox_file_t -l s0:c1,c2 /var/db

where the MCS string (s0:c1,c2) is unique per container.

Use these options when running Docker on SELinux-enabled systems:

• Use z for shared volumes among multiple containers.
• Use Z for private, container-specific volumes.

For full storage reference, see Docker storage documentation.