SELinux provides a user, a role, a type, and a level (ls -Z). This information is used to make access control decisions. On DAC systems, access is controlled based on Linux user and group IDs. SELinux policy rules are checked after DAC rules. SELinux policy rules are not used if DAC rules deny access first.
For container to mount the host volume if SELinux is enabled on the host
- Kubernetes
-
Enable PodSecurityPolicy in Admission Controller link
-
Create PodSecurityPolicy with SeLinux rule link
seLinux: rule: RunAsAny -
Apply the newly created PodSecurityPolicy to a user link
-
Assign SELinux labels to the container in your deployment link
securityContext: seLinuxOptions: level: "s0:c123,c456"
- Docker
- as below 'z' at the end is important
-v {source}:{destination}:z