Custom docker location causes SELinux labels unlabeled

I have a tiny storage device mounted as root FS in my VM running Fedora Rawhide. I want to use this machine as docker host for few services.

I have also different device available here and mounted as /bigone.

So my concept is to add:

 -g /bigone/opt/docker

into options of etc/sysconfig/docker file.
This works just fine and docker runs with a custom root dir:

[[email protected] ~]$ docker info
///
Security Options:
 seccomp
  Profile: default
 selinux
Kernel Version: 5.3.0-0.rc3.git1.1.fc31.x86_64
Operating System: Fedora 31 (Server Edition)
OSType: linux
Architecture: x86_64
CPUs: 6
Total Memory: 7.747GiB
///
Docker Root Dir: /bigone/opt/docker
///

Now when I try to run any container that is using volumes I get Permission denied in my face. For instance:

[[email protected] ~]$ docker run -u root  --rm  -p 8080:8080 -p 50000:50000 -v jenkins-data:/var/jenkins_home:z -v /var/run/docker.sock:/var/run/docker.sock:z jenkinsci/blueocean
Error relocating /lib/ld-musl-x86_64.so.1: RELRO protection failed: Permission denied
Error relocating /sbin/tini: RELRO protection failed: Permission denied

As you can see I try to run it with :z which is described as “relabel selinux crap blah blah blah yuo will be happy blah blah blah”. Unfortunately label is not assignedwith custom root.

Two things make it working:

  1. removing -g parameter from startup command (definately NOGO)
    • this causes all docker crap to move into /var/lib/docker and suddenly docker-run is able to assign proper labels for volume folders
ls -ladZ /var/lib/docker/volumes/jenkins-data/
drwxr-xr-x. 3 root root system_u:object_r:container_var_lib_t:s0 19 Aug 12 21:57 /var/lib/docker/volumes/jenkins-data/
  1. sudo setenforce 0
    • this causes container to run properly but selinux reports error in journal and label is not there in volumes
ls -ladZ /bigone/opt/docker/volumes/jenkins-data/
drwxr-xr-x. 3 root root system_u:object_r:unlabeled_t:s0 27 Aug 12 20:40 /bigone/opt/docker/volumes/jenkins-data/

So the question is: what do I miss to run docker in custom location with selinux enabled?

Source: StackOverflow