Skip to content

Docker Compose Fails on Fedora Due to SELinux Volume Permissions #194

New issue
New issue
Open
Open
Docker Compose Fails on Fedora Due to SELinux Volume Permissions#194
@GerMP21

Description

@GerMP21
GerMP21
opened on Sep 20, 2025

Describe the bug or question
When running docker compose up on a Fedora-based OS, the web and worker services fail to start. The containers exit with ModuleNotFoundError: No module named 'app.core' and ERROR: Error loading ASGI app. Could not import module "app.main". This issue is not present on other Linux distributions like Arch Linux and is caused by SELinux preventing the containers from accessing the bind-mounted volumes. The fix is to append the :Z flag to the volume mounts in the docker-compose.yml file.

Steps to Reproduce:

  1. Use Fedora Linux 42 (Budgie) x86_64 with kernel Linux 6.15.10-200.fc42.x86_64.
  2. Run docker compose up.

Description
The expected outcome is that all services defined in the docker-compose.yml file build and start without any errors.

The actual output shows the worker-1 and web-1 containers failing with import errors:

worker-1  | Traceback (most recent call last):
worker-1  |   File "/app/.venv/bin/arq", line 10, in <module>
worker-1  |     sys.exit(cli())
...
worker-1  | ModuleNotFoundError: No module named 'app.core'
worker-1 exited with code 1
web-1     | ERROR:    Error loading ASGI app. Could not import module "app.main".

These errors indicate that the Python interpreter within the containers cannot access the application code located in the host directories mounted as volumes. This is a direct result of SELinux enforcing security policies that, by default, prevent containers from accessing host file systems.

Screenshots
N/A

Additional context
The problem is resolved by modifying the volumes section for the web and worker services in the docker-compose.yml file to include the :Z flag. This flag instructs Docker to relabel the host directory, making it accessible to the container. The Z option specifically labels the content as private and unshared.

Corrected volumes configuration:

    volumes:
      - ./src/app:/code/app:Z
      - ./src/.env:/code/.env:Z

This configuration is necessary for Docker to function correctly on SELinux-enabled systems like Fedora when using bind mounts.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions