This should be stated that this is very dangerous.

[rhatdan]

If a container process gains access to this socket or the podman socket then it has full control on the system. IE Full root. Basically the container process does a

docker run --ti --privileged fedora sh and it has a full root running process on the system, and only needs to escape mount namespace.

[rhatdan]

This opens this access to all containers. If access to the docker.socket is needed within a container on an SELinux system, SELinux separation should get disabled.

docker run --security-opt label=disabled podman run --security-opt label=disabled

Then only the container running with the docker.sock or Podman.sock gains the dangerous access.

[apinter]

I avoid using Docker as much as possible, unfortunately there are few exceptions where I have to run it and what @rhatdan is stating is absolutely crucial to understand and this policy should not be used in prod or on any public instance. Also, switching to podman solves a lot of issues.

[djtango]

This opens this access to all containers. If access to the docker.socket is needed within a container on an SELinux system, SELinux separation should get disabled.

docker run --security-opt label=disabled podman run --security-opt label=disabled

Then only the container running with the docker.sock or Podman.sock gains the dangerous access.

Thank you this flag is what I was looking for so I didn't need to install this entire plugin