Handle correct mounting of volumes in SELinux enabled systems.

[sebaschi]

On SELinux enabled systems we need extra labels when mounting volumes to avoid issues with ownership.

[Teemperor]

Where did you find docker docks for label=shared? Mostly trying to understand if there is an alternative docker+SELinux setting that sounds more like "give container a clean set of labels".

Aside from that this LGTM.

[sebaschi]

I'm now unsure that this is the correct way when using docker. The relabel=shared shared is actually from the podma-run manpage. I hopped that this would mirror the volume mount option :z for SELinux. But this might only work for podman and not docker. I need to double-check that this also works with docker on a SELinux system, since at some point during testing, docker was a symlink to podman on my system.

In any case, both podman and docker agree that the correct way to do this is by mounting a hostvolume with an added :z label. See https://docs.docker.com/engine/storage/bind-mounts/#configure-the-selinux-label for docker, and the --volume section of the podman-run manpage.

In the podman-run (and docker-run) man page, it states that "These suffixes tell Podman to relabel file objects on the shared volumes. The z option tells Podman that two or more containers share the volume content. As a result, podman labels the content with a shared content label." On podman, using "--volume /HOST-DIR:/CONTAINER-DIR" uses a bind mount. Taken together, I reason that using "--mount type=bind, relabel=shared" should have the same semantics.