walters reported a new issue against the project: `atomic-wg` that you are following:
``
SELinux and containers - a fairly nontrivial difference we carry from other distributions
(Ubuntu, CL) etc. that either don't use SELinux or aren't enforcing. See [this
blog](https://www.projectatomic.io/blog/2015/06/using-volumes-with-docker-can-cause-problems-with-selinux/)
for some discussion about the `:z/:Z` flags.
The fact that we require these labels to be set very, very commonly trips up people. And
further, I think a big problem with `:z` is that it forces a relabel every time - it's
much better to have the labels set up correctly in the first place!
Another related issue is that people do e.g. `-v /home/myuser:/home:z` which will
completely break the OS which expects `/home/myuser` to be `user_home_dir_t` etc.
Hence, my proposal is: For Atomic Host, change `/var/srv` to be
`system_u:object_r:container_share_t:s0` by default. It can then be *assumed* as a
default interchange point for containers and the host - no labeling required.
Positives: We can start documenting this, and other tools (like a pet container one) can
just assume this works.
Downsides: If we don't do this for classic as well, we'll have introduced a new
special distinction between AH and classic - we currently have very few of those.
``
To reply, visit the link below or just reply to this email
https://pagure.io/atomic-wg/issue/505