replace deprecated selinux/label calls

These functions were removed in github.com/opencontainers/selinux
v1.12.0.

Signed-off-by: Paul Holzinger <pholzing@redhat.com>

libpod/container_internal_common.go

@@ -3081,7 +3081,7 @@ func (c *Container) relabel(src, mountLabel string, shared bool) error {
 	}
 	// only relabel on initial creation of container
 	if !c.ensureState(define.ContainerStateConfigured, define.ContainerStateUnknown) {
-		label, err := label.FileLabel(src)
+		label, err := selinux.FileLabel(src)
 		if err != nil {
 			return err
 		}

libpod/oci_conmon_linux.go

@@ -22,7 +22,7 @@ import (
 	runcconfig "github.com/opencontainers/cgroups"
 	devices "github.com/opencontainers/cgroups/devices/config"
 	spec "github.com/opencontainers/runtime-spec/specs-go"
-	"github.com/opencontainers/selinux/go-selinux/label"
+	"github.com/opencontainers/selinux/go-selinux"
 	"github.com/sirupsen/logrus"
 	"golang.org/x/sys/unix"
 )
@@ -147,13 +147,13 @@ func (r *ConmonOCIRuntime) createRootlessContainer(ctr *Container, restoreOption
 // Run the closure with the container's socket label set
 func (r *ConmonOCIRuntime) withContainerSocketLabel(ctr *Container, closure func() error) error {
 	runtime.LockOSThread()
-	if err := label.SetSocketLabel(ctr.ProcessLabel()); err != nil {
+	if err := selinux.SetSocketLabel(ctr.ProcessLabel()); err != nil {
 		return err
 	}
 	err := closure()
 	// Ignore error returned from SetSocketLabel("") call,
 	// can't recover.
-	if labelErr := label.SetSocketLabel(""); labelErr == nil {
+	if labelErr := selinux.SetSocketLabel(""); labelErr == nil {
 		// Unlock the thread only if the process label could be restored
 		// successfully.  Otherwise leave the thread locked and the Go runtime
 		// will terminate it once it returns to the threads pool.

libpod/util_linux.go

@@ -14,6 +14,7 @@ import (
 	"github.com/containers/podman/v5/pkg/rootless"
 	"github.com/containers/storage/pkg/fileutils"
 	spec "github.com/opencontainers/runtime-spec/specs-go"
+	"github.com/opencontainers/selinux/go-selinux"
 	"github.com/opencontainers/selinux/go-selinux/label"
 	"github.com/sirupsen/logrus"
 	"golang.org/x/sys/unix"
@@ -128,7 +129,7 @@ func assembleSystemdCgroupName(baseSlice, newSlice string) (string, string, erro
 
 var lvpRelabel = label.Relabel
 var lvpInitLabels = label.InitLabels
-var lvpReleaseLabel = label.ReleaseLabel
+var lvpReleaseLabel = selinux.ReleaseLabel
 
 // LabelVolumePath takes a mount path for a volume and gives it an
 // selinux label of either shared or not
@@ -139,9 +140,7 @@ func LabelVolumePath(path, mountLabel string) error {
 		if err != nil {
 			return fmt.Errorf("getting default mountlabels: %w", err)
 		}
-		if err := lvpReleaseLabel(mountLabel); err != nil {
-			return fmt.Errorf("releasing label %q: %w", mountLabel, err)
-		}
+		lvpReleaseLabel(mountLabel)
 	}
 
 	if err := lvpRelabel(path, mountLabel, true); err != nil {

libpod/util_linux_test.go

@@ -31,9 +31,7 @@ func TestLabelVolumePath(t *testing.T) {
 		mLabel := "system_u:object_r:container_file_t:s0:c1,c2"
 		return pLabel, mLabel, nil
 	}
-	lvpReleaseLabel = func(label string) error {
-		return nil
-	}
+	lvpReleaseLabel = func(label string) {}
 
 	// LabelVolumePath should not return an error if the operation is unsupported.
 	err := LabelVolumePath("/foo/bar", "")

pkg/specgen/generate/container_create.go

@@ -22,7 +22,7 @@ import (
 	"github.com/containers/podman/v5/pkg/specgenutil"
 	"github.com/containers/podman/v5/pkg/util"
 	"github.com/opencontainers/runtime-spec/specs-go"
-	"github.com/opencontainers/selinux/go-selinux/label"
+	"github.com/opencontainers/selinux/go-selinux"
 	"github.com/sirupsen/logrus"
 	"tags.cncf.io/container-device-interface/pkg/parser"
 )
@@ -578,7 +578,7 @@ func createContainerOptions(rt *libpod.Runtime, s *specgen.SpecGenerator, pod *l
 			return nil, err
 		}
 		if processLabel != "" {
-			selinuxOpts, err := label.DupSecOpt(processLabel)
+			selinuxOpts, err := selinux.DupSecOpt(processLabel)
 			if err != nil {
 				return nil, err
 			}

pkg/specgen/generate/security_linux.go

@@ -16,7 +16,7 @@ import (
 	"github.com/containers/podman/v5/pkg/specgen"
 	"github.com/containers/podman/v5/pkg/util"
 	"github.com/opencontainers/runtime-tools/generate"
-	"github.com/opencontainers/selinux/go-selinux/label"
+	"github.com/opencontainers/selinux/go-selinux"
 	"github.com/sirupsen/logrus"
 )
 
@@ -24,19 +24,19 @@ import (
 // input.
 func setLabelOpts(s *specgen.SpecGenerator, runtime *libpod.Runtime, pidConfig specgen.Namespace, ipcConfig specgen.Namespace) error {
 	if !runtime.EnableLabeling() || s.IsPrivileged() {
-		s.SelinuxOpts = label.DisableSecOpt()
+		s.SelinuxOpts = selinux.DisableSecOpt()
 		return nil
 	}
 
 	var labelOpts []string
 	if pidConfig.IsHost() {
-		labelOpts = append(labelOpts, label.DisableSecOpt()...)
+		labelOpts = append(labelOpts, selinux.DisableSecOpt()...)
 	} else if pidConfig.IsContainer() {
 		ctr, err := runtime.LookupContainer(pidConfig.Value)
 		if err != nil {
 			return fmt.Errorf("container %q not found: %w", pidConfig.Value, err)
 		}
-		secopts, err := label.DupSecOpt(ctr.ProcessLabel())
+		secopts, err := selinux.DupSecOpt(ctr.ProcessLabel())
 		if err != nil {
 			return fmt.Errorf("failed to duplicate label %q : %w", ctr.ProcessLabel(), err)
 		}
@@ -44,13 +44,13 @@ func setLabelOpts(s *specgen.SpecGenerator, runtime *libpod.Runtime, pidConfig s
 	}
 
 	if ipcConfig.IsHost() {
-		labelOpts = append(labelOpts, label.DisableSecOpt()...)
+		labelOpts = append(labelOpts, selinux.DisableSecOpt()...)
 	} else if ipcConfig.IsContainer() {
 		ctr, err := runtime.LookupContainer(ipcConfig.Value)
 		if err != nil {
 			return fmt.Errorf("container %q not found: %w", ipcConfig.Value, err)
 		}
-		secopts, err := label.DupSecOpt(ctr.ProcessLabel())
+		secopts, err := selinux.DupSecOpt(ctr.ProcessLabel())
 		if err != nil {
 			return fmt.Errorf("failed to duplicate label %q : %w", ctr.ProcessLabel(), err)
 		}