fix: Add permissions to modify mounted files when using SELinux

[bkmgit]

doc: Document how to use Podman with docker-compose

closes #9179

[jennifer-richards]

Running with full privileges feels like an undesirable application of a sledgehammer, and is not recommended practice (see the warning box in the linked section). Can the problem you're encountering be solved with a more limited grant?

Also, are you sure the issue you have is an SELinux issue and not a UID mismatch? We have so far been able to resolve permissions issues by coordinating UIDs between the container and host.

[bkmgit]

UID and GID are matched from https://github.com/ietf-tools/datatracker/blob/main/docker/run#L59-L64

The recommended action is to map the volumes with :Z or :z see for example https://developers.redhat.com/articles/2025/04/11/my-advice-selinux-container-labeling

however changing

        volumes:
            - postgresdb-data:/var/lib/postgresql/data:z

in https://github.com/ietf-tools/datatracker/blob/main/docker-compose.yml#L42-L43 to

        volumes:
            - postgresdb-data:/var/lib/postgresql/data:z

does not work. Will check if installing docker-compose manually helps rather than using the package manager as it seems a similar issue is obtained for lando/lando#3343

[rjsparks]

Moving this to draft while Jennifer and Benson continue the conversation

[jennifer-richards]

To continue the conversation: I'm curious what you find relative to your last message, @bkmgit. When I get a moment to set up a system to poke at SELinux myself I'd be happy to try to assist. That'll be ~ next week.

If it looks like it's not going to work with a narrower permissions grant, maybe we can set up an option to the docker/run script or otherwise allow the privileged option to be enabled for users who need it.