Documentation notes about running Fn on SELinux systems (#507)

Documentation notes about running Fn on SELinux systems

README.md

@@ -62,7 +62,8 @@ fn start
 
 This will start Fn in single server mode, using an embedded database and message queue. You can find all the
 configuration options [here](docs/operating/options.md). If you are on Windows, check [here](docs/operating/windows.md).
- 
+If you are on a Linux system where the SELinux security policy is set to "Enforcing", such as OEL7.x, check
+[here](docs/operating/selinux.md).
 
 ### Your First Function
 

docs/operating/options.md

@@ -50,6 +50,10 @@ One way is to mount the host Docker. Everything is essentially the same except y
 docker run --rm --name functions -it -v /var/run/docker.sock:/var/run/docker.sock -v $PWD/data:/app/data -p 8080:8080 fnproject/fnserver
 ```
 
+On Linux systems where SELinux is enabled and set to "Enforcing", SELinux will stop the container from accessing
+the host docker and the local directory mounted as a volume, so this method cannot be used unless security restrictions
+are disabled.
+
 ### Run outside Docker
 
 You can of course just run the binary directly, you'll just have to change how you set the environment variables above.

docs/operating/selinux.md

@@ -0,0 +1,20 @@
+# Running on SELinux systems
+
+Systems such as OEL 7.x where SELinux is enabled and the security policies are set to "Enforcing" will restrict Fn from
+running containers and mounting volumes.
+
+For local development, you can relax SELinux constraints by running this command in a root shell:
+
+```sh
+setenforce permissive
+```
+
+Then you will be able to run `fn start` as normal.
+
+Alternatively, use the docker-in-docker deployment that a production system would use:
+
+```sh
+docker run --privileged --rm --name fns -it -v $PWD/data:/app/data -p 8080:8080 fnproject/functions
+```
+
+Check the [operating options](options.md) for further details about this.