How to setup docker to work with SELinux

How to properly get docker working with Linux with SELinux enabled

Posted on December 8, 2017 2 minute read

From time to time I need to get this working, either by a new computer or some reinstall. Lately, I had to do this twice because my new Dell XPS laptop needed to be serviced, and I had to reinstall my OS of choice: Fedora Linux.

From now one, I assume you already have docker installed, in my case (Fedora Linux) is just a matter of typing: sudo dnf install docker

Change the default docker directory

Since I don’t want docker to pollute my /user directory, I usually create a new directory just to hold the docker images and files. In this case, I will use /home/docker, since I have a very large partition for the /home.

sudo vim /etc/sysconfig/docker

add -g /home/docker to the OPTIONS line:

OPTIONS='--selinux-enabled --log-driver=journald -g /home/docker'

Now to make sure SELinux recognizes this in a proper context, we need to run:

sudo chcon -Rt svirt_sandbox_file_t /home/docker

To ensure you can run docker with your current user, instead of using the root user, you need to create one group and add it to your user’s groups.

Setup docker to run with your user

To ensure you can run docker with your user and ditch the sudo usage, you need to create a group and add the user to the group:

Create the docker group.

sudo groupadd docker

Now add your (current) user to the docker group:

sudo usermod -aG docker $USER

Now logout and login again, to make sure your user as the right groups loaded

To check if everything is properly set up, you can run docker:

docker run hello-world

and you’ll be now able to run docker as your beloved user!

Setup your workspace or project directory

Now that you have docker running by your user, you (may) want to be able to share your project folder with the container, to make sure the process inside the docker can read your files and make some changes if necessary.

So got to the root directory of your project or your workspace, in case you have several projects and run:

sudo chcon -Rt svirt_sandbox_file_t /path/to/worksapce_or_project

If you still cannot access internet inside your container

In my recent Fedora 33 installation, I have to perform some changes to the firewall in order to access the internet. A bug report is already open at Bugzilla. The root issue is we do not have IP Masquerading enabled. First, get the list of active zones: sudo firewall-cmd --get-active-zones

  interfaces: docker0
  interfaces: enp56s0u1u1

Then I need to add the masquerade to the public interfaces. sudo firewall-cmd --zone=public --add-masquerade

Note, that in several search results, instead of public you may see FedoraWorkstation, so in the previous command you need to replace public with FedoraWorstation.


Since docker run their processed inside the containers as root, it’s always a good idea to keep SELinux enabled, to ensure nothing is misbehaving and reading files that should not be read.

If you see anywhere people suggesting to disable SELinux, please ignore, because in this world security is never enough.

If you want to ask some question or share your thoughts please contact me from the links on the left.