[BUG] Mounting `/lib/modules` with `:z` or `:Z` on SELinux-enabled hosts causes permanent mislabeling and boot failure

[joaommartins]

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

On SELinux-enabled hosts, mounting /lib/modules with the :z or :Z Docker volume relabeling flag causes the entire /usr/lib/modules/<kernel-version>/ directory to be permanently relabeled with the container_file_t SELinux type. This persists on the host filesystem across reboots and causes the system to fail to boot, as the kernel and systemd are denied access to kernel modules.

Since /lib/modules is a symlink to /usr/lib/modules, the relabeling affects the real path. After the container runs, files appear as:

$ ls -Z /usr/lib/modules/6.12.0-160000.8-default/vmlinuz
system_u:object_r:container_file_t:s0 /usr/lib/modules/6.12.0-160000.8-default/vmlinuz

On the next reboot the system fails with errors including:

systemd-sysctl: Failed to open file '/usr/lib/modules/<kernel>/sysctl.conf': Permission denied
systemd: Failed to mount /boot/efi
systemd: Failed to start Apply Kernel Variables

The issue is particularly difficult to diagnose because snapper (btrfs) rollbacks restore SELinux extended attributes when rolling back to a known-good snapshot. However, on first boot into the rolled back state, if the offending docker compose stack starts automatically, the kernel modules will be relabelled in the background. Subsequent boots after this will then fail with the same errors.

Expected Behavior

The README should warn that :z/:Z must not be used with the /lib/modules volume mount on SELinux-enabled hosts. Since the README already marks /lib/modules as optional (only needed when the wireguard module is not already loaded), SELinux users whose kernel already has wireguard built-in should simply omit this volume entirely.

If the mount is required, the recommended approach is:

volumes:
  - /lib/modules:/lib/modules:ro
security_opt:
  - label:disable

Steps To Reproduce

1. Run the wireguard container on a host with SELinux in enforcing mode
2. Mount /lib/modules with the :z volume relabeling flag
3. Reboot the host
4. System fails to boot — mounts depending on kernel modules (e.g. vfat for /boot/efi) fail with permission denied

Environment

- OS: OpenSUSE Leap 16, SELinux enforcing
- How docker service was installed: distro's package manager

CPU architecture

x86-64

Docker creation

services:
  wireguard:
    image: lscr.io/linuxserver/wireguard:latest
    container_name: wireguard
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    volumes:
      - /path/to/config:/config
      - /lib/modules:/lib/modules:z  # <-- this line causes the issue
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1
    restart: unless-stopped

Container logs

[custom-init] iptables.sh: executing...
**** Adding iptables rules ****
Warning: Extension mark revision 0 not supported, missing kernel module?
Warning: Extension REJECT revision 0 not supported, missing kernel module?
iptables v1.8.11 (nf_tables): RULE_APPEND failed (No such file or directory): rule in chain OUTPUT
[custom-init] iptables.sh: exited 4


**Note:** The container logs alone do not reveal the SELinux mislabeling — the boot failure only manifests on the next host reboot, making this hard to connect back to the container.

[github-actions]

Thanks for opening your first issue here! Be sure to follow the relevant issue templates, or risk having this issue marked as invalid.

[aptalca]

Where does the readme say to mount it with :z or :Z? I don't see it.

[joaommartins]

Where does the readme say to mount it with :z or :Z? I don't see it.

It doesn't, there is no discussion about running the container under SELinux, so SELinux folder mounting directives aren't discussed.

However, I don't find it too unlikely that someone hosting their own Wireguard server would have SELinux in enforcing mode, like I do in a pretty standard OpenSUSE Leap 16.0 installation. If your server is configured like this, then the discussion about mounting folders becomes important, due to the real possibility of silently breaking the server's ability to boot.

[aptalca]

It doesn't, there is no discussion about running the container under SELinux, so SELinux folder mounting directives aren't discussed.

Right. That's because selinux is beyond the scope of this repo. It's not appropriate for us to list potential pitfalls associated with systems we don't require or directly promote. You can report that issue to docker/moby as it really has to do with them and selinux.

Plus, the readme makes clear that most people these days don't need to map the modules folder as the recent kernels enable the iptables module by default and if not, you can modprobe:
https://github.com/linuxserver/docker-wireguard?tab=readme-ov-file#note-on-iptables

[joaommartins]

Sure, not an issue for this repo then, closing. Thanks.