If you see “permission denied” errors in your container logs when mounting volumes, it’s likely caused by incorrect SELinux labels on the host directories. Docker and Podman allow you to modify these labels using two special mount options: :z
and :Z
.
If you are on a SELinux enabled distribution like Rocky Linux, the container won’t have permission to the volumes. This results in “permission denied” errors.
Using :Z marks the mounted content as private and unshared:
volumes:
- /host/directory:/container/directory:Z
This mounts the /host/directory into the container read/write. But Podman will label the content on the host as private and unshared, preventing other containers from accessing it.
volumes:
- /host/directory:/container/directory:z
This mounts the host directory /host/directory
into the container at /container/directory
. The :z
suffix instructs Docker to label this content as shared. This allows multiple containers to read and write to the shared volume.
The :z
option modifies the SELinux label on the host directory to mark it as shared content. Use this carefully as it can have security implications.