Add information about running with SELinux

[mbollmann]

TL;DR: Users running with SELinux enabled need to add :z to their volume specifications for all volumes that are outside the regular docker directories (e.g., in the user's home directory). I suggest adding some information about that to the documentation, since it wasn't obvious to me and I spent several hours researching this issue.

---

I've just tried to get paperless-ng up and running on a local machine (Fedora 34, local harddisk), and was running into a permissions issue that looked very similar to #1056: "Permission denied" errors on all folders within my $HOME directory.

For example, trying to run the docker image would give me:

SystemCheckError: System check identified some issues:

ERRORS:
?: PAPERLESS_CONSUMPTION_DIR is not writeable
        HINT: Set the permissions of 
drwxr-xr-x /usr/src/paperless/src/../consume
 to be writeable by the user running the Paperless services

If I changed docker-compose.yml to e.g. move the data folder under my $HOME dir as well, I'd get:

Creating paperless_webserver_run ... done
Paperless-ng docker container starting...
Creating directory ../data/index
mkdir: cannot create directory ‘../data/index’: Permission denied
ERROR: 1

The respective folders were all created with root:root ownership by Docker, no matter what UID/GID I gave in docker-compose.env. I double- and triple-checked that the UID/GIDs were correct and that my Docker installation was set up correctly e.g. with regard to my user belonging to the "docker" group.

After a lot of research, I remembered that my system uses SELinux, so I tried disabling it (sudo setenforce 0) and, lo and behold, the permission issues disappeared!

It appears that to allow Docker images to properly access mounted volumes outside the standard Docker directories when SELinux is enforced, the :z mount option should be added to these volume specifications. Doing this makes all permissions issues go away on my system, and the respective folders are now also created with ownership belonging to my own user's UID/GID.

To be precise, I changed the following lines in docker-compose.yml:

  webserver:
    ...
    volumes:
      - data:/usr/src/paperless/data
      - media:/usr/src/paperless/media
      - ./export:/usr/src/paperless/export:z
      - ./consume:/usr/src/paperless/consume:z

If the data/media directories are changed to e.g. also be mounted locally (./data), they would also need the :z flag.

Hope this helps someone!

[mbollmann]

Addendum: also need to add stickysetuid/gid bits to these directories (e.g. chmod ug+s consume/) or Paperless won't be allowed to access the file you move into it.