## Problem Description
When deploying a project using docker-compose, the yaml file is as follows:
```yaml
version: '3'
services:
purchasing-contract-consumer:
image: /consumer:latest
environment:
- TZ=Asia/Shanghai
- app_env=prod
restart: always
working_dir: /app
command: python
volumes:
- type: bind
source: /home/admin/deploy/consumer/
target: /app/
```
When starting the application, an error was reported:
```
PermissionError: [Errno 13] Permission denied: '/app/'
```
## Cause Analysis
In my application, the file needs to be written in the container, and this file is mounted to the host machine. Because my host system is CentOS, SELinux is enabled by default. Under SELinux policy, the type of the container process is container_t type, and the file on the host is user_home_t type by default. The types of the two do not match, and the container process cannot access the files mounted on the host.
## Solution
Scheme 1, Disable SELinux, not recommended.
The temporary disabling SELinux scheme is as follows:
```shell
sudo setenforce 0
```
Scheme 2: Modify the file type to svirt_sandbox_file_t on the host machine
```shell
chcon -t svirt_sandbox_file_t
```
If you need to permanently modify the file type
```shell
semanage fcontext -a -t svirt_sandbox_file_t ""
restorecon
```
After modifying the file type to svirt_sandbox_file_t, since the docker container process is of container_t type, SELinux allows container_t type processes to access files of svirt_sandbox_file_t type.
Scheme 3: Use:Z when mounting, which will set the mounted file to the container_file_t type to ensure that the container process can access the mounted file. The updated yaml file is as follows. (recommend)
```yaml
version: '3'
services:
purchasing-contract-consumer:
image: /consumer:latest
environment:
- TZ=Asia/Shanghai
- app_env=prod
restart: always
working_dir: /app
command: python
volumes:
- /home/admin/deploy/consumer/:/app/:Z
```
After running, check the SELinux context type
```shell
[admin@myhost consumer]$ ls -lZ
-rw-rw-r--. admin admin system_u:object_r:container_file_t:s0:c716,c748
drwxr-xr-x. root root system_u:object_r:container_file_t:s0:c97,c362 config
-rwxr-xr-x. admin admin unconfined_u:object_r:user_home_t:s0
-rw-rw-r--. admin admin unconfined_u:object_r:user_home_t:s0
-rwxrwxr-x. admin admin unconfined_u:object_r:user_home_t:s0
```
The file type mounted using:Z is container_file_t, which can be accessed by the container process. The default file type is user_home_t and cannot be accessed by the container process.
When solving the problem using Scheme 3, the specified bing mount cannot be displayed. as follows
```yaml
volumes:
- type: bind
source: /home/admin/deploy/consumer/
target: /app/:Z #Invalid, the container cannot modify the SELinux type on the host
volumes:
- /home/admin/deploy/consumer/:/app/:Z #Effective, the container successfully modified the SELinux type on the host
```