docs: add SELinux note for Podman socket mounting

On Fedora/RHEL/SELinux systems, the container_t policy blocks connectto
on container_runtime_t sockets. Add --security-opt label=disable to all
Podman socket-mount examples and the podman-compose config.

Verified during local integration test: SELinux denials appear in audit
log without this option; the option resolves them.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: Stephen Belanger

docs/content/docs/(getting-started)/docker.mdx

@@ -304,7 +304,7 @@ Spacebot supports both rootful and rootless Podman socket paths.
 **Rootful Podman** — start the socket service and mount it:
 
 ```bash
-systemctl enable --now podman.socket
+sudo systemctl enable --now podman.socket
 ```
 
 ```bash
@@ -314,6 +314,7 @@ podman run -d \
   -e SPACEBOT_DEPLOYMENT=docker \
   -v spacebot-data:/data \
   -v /run/podman/podman.sock:/run/podman/podman.sock \
+  --security-opt label=disable \
   -p 19898:19898 \
   ghcr.io/spacedriveapp/spacebot:slim
 ```
@@ -332,13 +333,20 @@ podman run -d \
   -e XDG_RUNTIME_DIR=/run/user/$(id -u) \
   -v spacebot-data:/data \
   -v $XDG_RUNTIME_DIR/podman/podman.sock:$XDG_RUNTIME_DIR/podman/podman.sock \
+  --security-opt label=disable \
   -p 19898:19898 \
   ghcr.io/spacedriveapp/spacebot:slim
 ```
 
 You can also set `DOCKER_HOST=unix:///path/to/podman.sock` to point Spacebot at
 any custom socket location.
 
+> **SELinux note (Fedora, RHEL, and derivatives):** SELinux blocks containers
+> from connecting to the Podman socket by default. Add
+> `--security-opt label=disable` to the `podman run` command, or
+> `security_opt: [label=disable]` in your `podman-compose.yml`, when mounting
+> the socket.
+
 ### Podman Compose
 
 ```yaml
@@ -355,6 +363,8 @@ services:
     environment:
       - ANTHROPIC_API_KEY=${ANTHROPIC_API_KEY}
       - SPACEBOT_DEPLOYMENT=docker
+    security_opt:
+      - label=disable
 
 volumes:
   spacebot-data: