✦ For everyone, free.

Practical knowledge for real and everyday life

Home

11.2.4.3 SELinux Labels

A focused guide to SELinux Labels, connecting core concepts with practical Docker and container operations.

SELinux labels apply mandatory access control to a container's processes and files on systems using SELinux, tagging resources with security contexts that determine exactly what a labeled process is permitted to interact with, providing an alternative (and on certain distributions, the primary) mandatory access control mechanism to AppArmor.

How SELinux Labeling Works for Containers

Docker, on an SELinux-enabled host, applies specific security context labels to containers, governing their permitted interactions according to SELinux policy.

docker run --security-opt label=type:container_t myapp:1.0

This explicitly applies a specific SELinux type label, governing this container's permitted interactions according to the corresponding SELinux policy rules for that type.

Why SELinux Is the Primary Mechanism on Certain Distributions

Red Hat-based distributions, including RHEL, CentOS, and Fedora, use SELinux as their primary mandatory access control mechanism, rather than AppArmor.

getenforce

Checking SELinux's current enforcement mode on a given host confirms whether this mechanism is actively enforcing policy there.

Labeling Volumes for SELinux Compatibility

A bind-mounted volume on an SELinux-enabled host may need an explicit label option to ensure the container's process can actually access it under SELinux's policy.

docker run -v /host/data:/app/data:Z myapp:1.0

The :Z option here applies an appropriate, container-specific SELinux label to this particular mount, a detail specifically relevant on SELinux-enabled hosts that might otherwise cause unexpected permission denials.

Diagnosing an SELinux-Related Permission Issue

A permission denial that doesn't make sense given a container's ordinary Unix file permissions might actually be an SELinux policy denial, requiring SELinux-specific diagnostic tools to properly investigate.

ausearch -m avc -ts recent
Why SELinux Labels Matter

On SELinux-enabled hosts, understanding and correctly applying SELinux labeling is essential both for avoiding unexpected, SELinux-specific permission denials and for properly leveraging this mandatory access control mechanism as part of a comprehensive container security posture.

Related content