You deployed a web server in a container and SELinux blocked device access
You are running a web server inside a container on Fedora. The application needs to communicate with a host device, perhaps a USB serial adapter for hardware control or a block device for direct storage access. You bind-mounted the device into the container, started the service, and the web server crashed. The logs show a permission denied error. The denial comes from SELinux. You are not sure whether to disable SELinux or adjust the policy. Disabling SELinux removes all protection. Adjusting the policy requires the correct boolean.
What SELinux is doing here
SELinux enforces Mandatory Access Control on Fedora. Every process and every file has a label. A container runs in a restricted domain designed to isolate it from the host. Host devices retain their system labels. By default, the container domain cannot access host devices. This prevents a compromised container from reading sensitive hardware or writing to disks.
The container_use_devices boolean changes this rule. It tells SELinux to allow container processes to access host devices that are bind-mounted into the container. This keeps the container isolated from the rest of the system while granting the specific hardware access your web server needs. The boolean acts as a switch in the policy. It does not disable SELinux. It only relaxes the restriction for device access within containers.
Convention aside: SELinux denials appear in the journal with a one-line summary. Run journalctl -t setroubleshoot to see these summaries. The setroubleshoot package translates raw audit messages into readable text. Read the summary before making changes. It often tells you exactly which boolean or context is missing.
Enable the boolean permanently
Here is how to enable the boolean so the change survives a reboot. The command updates the runtime policy and writes the setting to the persistent store.
sudo setsebool -P container_use_devices=true
# -P writes the change to the policy store so it persists across reboots
# container_use_devices allows container processes to access host devices
# This boolean applies system-wide to all containers
The -P flag is essential. Without it, the change only applies until the next reboot. Production configurations must persist. If you omit -P, you will be debugging a "working" system that breaks after a maintenance restart.
Convention aside: setsebool modifies booleans. It does not change file contexts or user roles. Use setsebool only for boolean switches. If you need to change labels on files, use semanage or chcon. Mixing tools leads to configuration drift. Stick to the right tool for the job.
Verify the configuration
Here is how to confirm the boolean is active. The command queries the current state of the boolean.
getsebool container_use_devices
# getsebool queries the current state of a specific boolean
# Output should show container_use_devices --> on
The output must show on. If it shows off, the previous command failed or was run without -P and the system rebooted. Check the return code of setsebool. A non-zero exit code indicates an error, such as a typo in the boolean name.
Restart the container after verifying the boolean. The boolean takes effect immediately in the kernel, but the container application may have already failed and exited. Restarting ensures the web server attempts to access the device with the new permissions.
Check the container logs for success. If the web server starts and binds to the device, the configuration is correct. If you see Permission denied again, the issue is not the boolean. Check the bind mount path and the device label.
Common pitfalls and error patterns
A botched configuration can leave the container unable to start. Verify the mount before blaming SELinux.
The container runtime must pass the device correctly. If the path is wrong, SELinux is not the blocker. The container simply does not see the device. Verify the mount inside the container with ls -lZ. The output should show the device with its host label. If the label is missing or changed, the runtime may be stripping labels. Check your runtime flags for label preservation.
Error reference: If the boolean is disabled, the journal will contain lines like avc: denied { read } for pid=1234 comm="webserver" name="sda" dev="tmpfs" ino=5678 scontext=system_u:system_r:container_t:s0:c123,c456 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file. The scontext shows the container domain. The tcontext shows the device label. The denial confirms the boolean is needed.
Convention aside: journalctl -xe reads better than journalctl alone. The x flag adds explanatory text and the e flag jumps to the end. Most sysadmins type journalctl -xeu <unit> muscle-memory style. Use this pattern to find the denial quickly.
Another pitfall is editing /etc/selinux/config. This file controls the SELinux mode, not booleans. Changing SELINUX=enforcing to SELINUX=disabled removes all protection. Never edit this file to fix a boolean issue. Use setsebool for booleans. Use setenforce 0 only for temporary debugging, and revert immediately.
The boolean is global. Enabling container_use_devices applies to all containers on the system. If you run multiple containers, all of them gain the ability to access host devices if they bind-mount them. This is usually acceptable for a server running web server containers. Be aware of the scope. If you only need one container to have access, you cannot restrict the boolean to a single container. The boolean is system-wide.
When to use this configuration
Use container_use_devices when your web server container requires access to host hardware devices like USB adapters or block storage. Use standard container defaults when your web server only needs network access and file storage within the container filesystem. Disable the boolean when the web server no longer requires device access to minimize the attack surface. Keep the boolean off by default and enable it only for containers that need it.
Where to go next
- How to Set Up Port Forwarding with firewalld on Fedora
- How to Scan for Rootkits and Malware on Fedora (rkhunter, chkrootkit, ClamAV)
- How to Sign RPM Packages with GPG Keys
Check the boolean before you restart. A quick getsebool saves a reboot cycle.