{
  "id": "docker/volume-bind-mount-permission-denied",
  "signature": "Error response from daemon: error while mounting volume '/host/path': permission denied",
  "signature_zh": "守护进程响应错误：挂载卷 '/host/path' 时出错：权限被拒绝",
  "regex": "error while mounting volume '[^']+': permission denied",
  "domain": "docker",
  "category": "config_error",
  "subcategory": null,
  "root_cause": "The host directory or file being bind-mounted has restrictive permissions or SELinux labels that prevent the Docker container from accessing it.",
  "root_cause_type": "generic",
  "root_cause_zh": "被绑定挂载的主机目录或文件具有限制性权限或 SELinux 标签，阻止 Docker 容器访问。",
  "versions": [
    {
      "version": "Docker 20.10.22",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    },
    {
      "version": "Docker 24.0.6",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    },
    {
      "version": "RHEL 8",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    },
    {
      "version": "Ubuntu 22.04",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    }
  ],
  "os_specific": {},
  "dead_ends": [
    {
      "action": "",
      "why_fails": "Even root inside the container may not bypass host SELinux or AppArmor policies; the mount itself is denied at the daemon level.",
      "fail_rate": 0.85,
      "condition": "",
      "sources": []
    },
    {
      "action": "",
      "why_fails": "The permission denied error occurs before the container process runs; it's a mount-time check, not a runtime access issue.",
      "fail_rate": 0.75,
      "condition": "",
      "sources": []
    }
  ],
  "workarounds": [
    {
      "action": "Add `:Z` or `:z` suffix to the bind mount to relabel SELinux context: `docker run -v /host/path:/container/path:Z myimage`",
      "success_rate": 0.9,
      "how": "Add `:Z` or `:z` suffix to the bind mount to relabel SELinux context: `docker run -v /host/path:/container/path:Z myimage`",
      "condition": "",
      "sources": []
    },
    {
      "action": "Ensure the host directory has at least 755 permissions (`chmod 755 /host/path`) and the Docker daemon has read access. Then retry the mount.",
      "success_rate": 0.8,
      "how": "Ensure the host directory has at least 755 permissions (`chmod 755 /host/path`) and the Docker daemon has read access. Then retry the mount.",
      "condition": "",
      "sources": []
    }
  ],
  "workarounds_zh": [
    "Add `:Z` or `:z` suffix to the bind mount to relabel SELinux context: `docker run -v /host/path:/container/path:Z myimage`",
    "Ensure the host directory has at least 755 permissions (`chmod 755 /host/path`) and the Docker daemon has read access. Then retry the mount."
  ],
  "transition_graph": {
    "leads_to": [],
    "preceded_by": [],
    "frequently_confused_with": []
  },
  "official_doc_url": "https://docs.docker.com/storage/bind-mounts/#configure-the-selinux-label",
  "official_doc_section": null,
  "error_code": null,
  "verification_tier": "ai_generated",
  "confidence": 0.88,
  "fix_success_rate": 0.82,
  "resolvable": "true",
  "first_seen": "2023-08-10",
  "last_confirmed": "2024-06-01",
  "last_updated": "2024-06-01",
  "evidence_count": 1,
  "tags": [],
  "locale": "en",
  "aliases": []
}