Technical Note

Docker and SELinux on Fedora

A practical Fedora note for keeping SELinux enabled while making Docker storage, mounted workspaces, and container networking behave.

Technical Note Paulo Fidalgo

This is a technical note I still come back to when setting up Docker on a Fedora machine with SELinux enabled.

The short version: keep SELinux enabled. Put Docker data where you want it. Make sure the directories Docker needs have the right SELinux context.

Move Docker data out of the default path

If you want Docker images and container data outside the default location, create the directory first.

sudo mkdir -p /home/docker

Then configure Docker to use that path. On older Fedora setups this was often done through /etc/sysconfig/docker.

OPTIONS='--selinux-enabled --log-driver=journald -g /home/docker'

On newer Docker setups, prefer the daemon configuration file when available.

{
  "data-root": "/home/docker"
}

Place that in /etc/docker/daemon.json, then restart Docker.

Set the SELinux context

Docker needs the directory to have a context it can use for container storage.

sudo chcon -Rt svirt_sandbox_file_t /home/docker

If you share a workspace or project directory with containers, apply the same idea there.

sudo chcon -Rt svirt_sandbox_file_t /path/to/workspace_or_project

This is the part I most often need to remember.

Without the right context, the container may look misconfigured even when the mount path and permissions seem correct.

Run Docker without sudo

Create the Docker group if it does not already exist.

sudo groupadd docker

Add your user to it.

sudo usermod -aG docker "$USER"

Log out and back in so the new group is loaded, then test the setup.

docker run hello-world

Fix container networking when needed

On some Fedora installs, containers may fail to reach the network. The usual cause is masquerading not being enabled on the active external zone.

Check the active zones.

sudo firewall-cmd --get-active-zones

If your external interface is in the public zone, enable masquerading there.

sudo firewall-cmd --zone=public --add-masquerade

Some machines use FedoraWorkstation instead of public. Adjust the zone name to match your output.

To persist the change.

sudo firewall-cmd --zone=public --add-masquerade --permanent
sudo firewall-cmd --reload

Do not disable SELinux to make Docker work

Disabling SELinux is the easy workaround and the wrong default.

If Docker cannot read or write a mounted path, check the context first. The fix is usually to label the directory correctly, not to remove the security boundary.

Back to writing