Ensure that :Z/:z/:U can be used with named volumes

Docker allows relabeling of any volume passed in via -v, even
including named volumes. This normally isn't an issue at all,
given named volumes get the right label for container access
automatically, but this becomes an issue when volume plugins are
involved - these aren't managed by Podman, and may well be
unaware of SELinux labelling. We could automatically relabel
these volumes on creation, but I'm still reluctant to do that
(feels like it could break things). Instead, let's allow :z and
:Z to be used with named volumes, so users can explicitly request
relabel of a volume plugin-backed volume.

We also get :U at the same time. I don't see any real need for it
but it also doesn't seem to hurt, so I didn't bother disabling
it.

Fixes #10273

Signed-off-by: Matthew Heon <mheon@redhat.com>

1 files changed, 8 insertions, 0 deletions

diff --git a/test/e2e/run_selinux_test.go b/test/e2e/run_selinux_test.go
index 6abe152a9..2886f06c1 100644
--- a/test/e2e/run_selinux_test.go
+++ b/test/e2e/run_selinux_test.go
@@ -343,4 +343,12 @@ var _ = Describe("Podman run", func() {
 		session.WaitWithDefaultTimeout()
 		Expect(session.OutputToString()).To(ContainSubstring("container_init_t"))
 	})
+
+	It("podman relabels named volume with :Z", func() {
+		session := podmanTest.Podman([]string{"run", "-v", "testvol:/test1/test:Z", fedoraMinimal, "ls", "-alZ", "/test1"})
+		session.WaitWithDefaultTimeout()
+		Expect(session.ExitCode()).To(Equal(0))
+		match, _ := session.GrepString(":s0:")
+		Expect(match).Should(BeTrue())
+	})
 })