Add 'relabel' to --mount options

Currently if a user specifies a --mount option, their is no way to tell SELinux
to relabel the mount point.

This patch addes the relabel=shared and relabel=private options.

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>

docs/podman-create.1.md

@@ -464,12 +464,16 @@ Tune a container's memory swappiness behavior. Accepts an integer between 0 and
 
 Attach a filesystem mount to the container
 
-Current supported mount TYPES are bind, and tmpfs.
+Current supported mount TYPES are `bind`, `volume`, and `tmpfs`.
 
        e.g.
 
        type=bind,source=/path/on/host,destination=/path/in/container
 
+       type=bind,src=/path/on/host,dst=/path/in/container,relabel=shared
+
+       type=volume,source=vol1,destination=/path/in/container,ro=true
+
        type=tmpfs,tmpfs-size=512M,destination=/path/in/container
 
        Common Options:
@@ -483,8 +487,11 @@ Current supported mount TYPES are bind, and tmpfs.
        Options specific to bind:
 
               · bind-propagation: shared, slave, private, rshared, rslave, or rprivate(default). See also mount(2).
+
               . bind-nonrecursive: do not setup a recursive bind mount.  By default it is recursive.
 
+              . relabel: shared, private.
+
        Options specific to tmpfs:
 
               · tmpfs-size: Size of the tmpfs mount in bytes. Unlimited by default in Linux.

docs/podman-run.1.md

@@ -475,13 +475,15 @@ Tune a container's memory swappiness behavior. Accepts an integer between 0 and
 
 Attach a filesystem mount to the container
 
-Current supported mount TYPES are bind, and tmpfs.
+Current supported mount TYPES are `bind`, `volume`, and `tmpfs`.
 
        e.g.
 
        type=bind,source=/path/on/host,destination=/path/in/container
 
-       type=bind,source=volume-name,destination=/path/in/container
+       type=bind,src=/path/on/host,dst=/path/in/container,relabel=shared
+
+       type=volume,source=vol1,destination=/path/in/container,ro=true
 
        type=tmpfs,tmpfs-size=512M,destination=/path/in/container
 
@@ -495,9 +497,12 @@ Current supported mount TYPES are bind, and tmpfs.
 
        Options specific to bind:
 
-	      · bind-propagation: Z, z, shared, slave, private, rshared, rslave, or rprivate(default). See also mount(2).
+	      · bind-propagation: shared, slave, private, rshared, rslave, or rprivate(default). See also mount(2).
+
 	      . bind-nonrecursive: do not setup a recursive bind mount.  By default it is recursive.
 
+	      . relabel: shared, private.
+
        Options specific to tmpfs:
 
 	      · tmpfs-size: Size of the tmpfs mount in bytes. Unlimited by default in Linux.

pkg/spec/storage.go

@@ -389,7 +389,7 @@ func getBindMount(args []string) (spec.Mount, error) {
 		Type: TypeBind,
 	}
 
-	var setSource, setDest, setRORW, setSuid, setDev, setExec bool
+	var setSource, setDest, setRORW, setSuid, setDev, setExec, setRelabel bool
 
 	for _, val := range args {
 		kv := strings.Split(val, "=")
@@ -467,6 +467,22 @@ func getBindMount(args []string) (spec.Mount, error) {
 			}
 			newMount.Destination = kv[1]
 			setDest = true
+		case "relabel":
+			if setRelabel {
+				return newMount, errors.Wrapf(optionArgError, "cannot pass 'relabel' option more than once")
+			}
+			setRelabel = true
+			if len(kv) != 2 {
+				return newMount, errors.Wrapf(util.ErrBadMntOption, "%s mount option must be 'private' or 'shared'", kv[0])
+			}
+			switch kv[1] {
+			case "private":
+				newMount.Options = append(newMount.Options, "z")
+			case "shared":
+				newMount.Options = append(newMount.Options, "Z")
+			default:
+				return newMount, errors.Wrapf(util.ErrBadMntOption, "%s mount option must be 'private' or 'shared'", kv[0])
+			}
 		default:
 			return newMount, errors.Wrapf(util.ErrBadMntOption, kv[0])
 		}