From 3c76f174dd1332cde87b9a15bbaa64c137bfe008 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Wed, 6 Oct 2021 12:11:50 -0400 Subject: [PATCH] Tell users who change graphroot location to fix the SELinux labels Signed-off-by: Daniel J Walsh --- docs/containers-storage.conf.5.md | 6 ++++++ storage.conf | 6 ++++++ 2 files changed, 12 insertions(+) diff --git a/docs/containers-storage.conf.5.md b/docs/containers-storage.conf.5.md index d06ca0991e..df79b61084 100644 --- a/docs/containers-storage.conf.5.md +++ b/docs/containers-storage.conf.5.md @@ -38,6 +38,12 @@ The `storage` table supports the following options: container storage graph dir (default: "/var/lib/containers/storage") Default directory to store all writable content created by container storage programs. The rootless graphroot path supports environment variable substitutions (ie. `$HOME/containers/storage`) + When changing the graphroot location on an SELINUX system, ensure + the labeling matches the default locations labels with the + following commands: + + # semanage fcontext -a -e /var/lib/containers/storage /NEWSTORAGEPATH + # restorecon -R -v /NEWSTORAGEPATH **rootless_storage_path**="$HOME/.local/share/containers/storage" Storage path for rootless users. By default the graphroot for rootless users diff --git a/storage.conf b/storage.conf index 722750c0cc..bf1534adc3 100644 --- a/storage.conf +++ b/storage.conf @@ -11,8 +11,14 @@ driver = "overlay" runroot = "/run/containers/storage" # Primary Read/Write location of container storage +# When changing the graphroot location on an SELINUX system, you must +# ensure the labeling matches the default locations labels with the +# following commands: +# semanage fcontext -a -e /var/lib/containers/storage /NEWSTORAGEPATH +# restorecon -R -v /NEWSTORAGEPATH graphroot = "/var/lib/containers/storage" + # Storage path for rootless users # # rootless_storage_path = "$HOME/.local/share/containers/storage"