Fix SELinux labels to allow shared use.

[Alexhuszagh]

Ensure that the volumes are not mounted as private, unshared volumes since we might mount with the host filesystem. This also fixes permissions issues with reading data from a mounted volume using a rootless container engine.

Fixes a bug introduced in #251.
Closes #961.

This is because the Z SELinux label assumes the data is not shared between containers and not being used by the host, as documented below:

If you use selinux you can add the z or Z options to modify the selinux label of the host file or directory being mounted into the container. This affects the file or directory on the host machine itself and can have consequences outside of the scope of Docker.

• The z option indicates that the bind mount content is shared among multiple containers.
• The Z option indicates that the bind mount content is private and unshared.

Use extreme caution with these options. Bind-mounting a system directory such as /home or /usr with the Z option renders your host machine inoperable and you may need to relabel the host machine files by hand.

Prior to this, we used the Z label, when we should have been using the z label.

[Alexhuszagh]

You can test the logic behind this with the following (use Fedora since it comes with SELinux enforced by default):

$ getenforce
Enforcing
# no label
$ podman run -it --rm -v "$PWD":"$PWD" -w "$PWD" ubuntu:20.04 bash -c "ls"
ls: cannot open directory '.': Permission denied
$ podman run -it --rm -v "$PWD":"$PWD":z -w "$PWD" ubuntu:20.04 bash -c "ls"
Cargo.lock  Cargo.toml  src  target
$ podman run -it --rm -v "$PWD":"$PWD":Z -w "$PWD" ubuntu:20.04 bash -c "ls"
Cargo.lock  Cargo.toml  src  target

Note that once the z or Z SELinux label is used on a directory, Podman or Docker will allow it to be read even if a label is not provided later.

[Emilgardis]

bors r+

[bors]

Build succeeded:

• conclusion

[lriesebos]

Hi, I was wondering, is it worth to have have a release that includes this fix? Like together with other fixes from master as v0.2.5 or if necessary as a patch on v0.2.4? This is a major blocker for Fedora systems and having it as a release would be helpful.

[lriesebos]

@Alexhuszagh ?

[Emilgardis]

Sorry for the lack of response, I want to do this but haven't taken the time to do so. I'm not sure what else we should include in v0.2.5 but just this. I'll make the release tomorrow

[lriesebos]

hi, @Emilgardis took me a while to circle back, but I just tested v0.2.5 and there seems to be a regression (i.e. aa59bf2 still works fine), but I can't reproduce it reliably though.

regardless, when it happens, a permission denied error appears again. looking at the file and generated podman command, it turns out that aa59bf2 also appends :z to cargo path dependencies while v0.2.5 does not. was that removed intentionally, or is that a potential regression?