From d7cf0966d3249a448ff77a8bd38051e462b40a4d Mon Sep 17 00:00:00 2001
From: charliemirabile <46761267+charliemirabile@users.noreply.github.com>
Date: Wed, 10 Apr 2024 15:29:03 -0400
Subject: [PATCH 1/2] add support for selinux in verbose mount

This corresponds to specifying the `z` or `Z` option in the third
portion of a terse mount specification (i.e. src:trg:z)

Signed-off-by: charliemirabile <46761267+charliemirabile@users.noreply.github.com>
---
 podman_compose.py | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/podman_compose.py b/podman_compose.py
index 9c9a6839..43d13834 100755
--- a/podman_compose.py
+++ b/podman_compose.py
@@ -431,6 +431,11 @@ def mount_desc_to_mount_args(compose, mount_desc, srv_name, cnt_name):  # pylint
         tmpfs_mode = tmpfs_opts.get("mode", None)
         if tmpfs_mode:
             opts.append(f"tmpfs-mode={tmpfs_mode}")
+    if mount_type == "bind":
+        bind_opts = mount_desc.get("bind", {})
+        selinux = bind_opts.get("selinux", None)
+        if selinux is not None:
+            opts.append(selinux)
     opts = ",".join(opts)
     if mount_type == "bind":
         return f"type=bind,source={source},destination={target},{opts}".rstrip(",")
@@ -486,6 +491,12 @@ def mount_desc_to_volume_args(compose, mount_desc, srv_name, cnt_name):  # pylin
     read_only = mount_desc.get("read_only", None)
     if read_only is not None:
         opts.append("ro" if read_only else "rw")
+    if mount_type == "bind":
+        bind_opts = mount_desc.get("bind", {})
+        selinux = bind_opts.get("selinux", None)
+        if selinux is not None:
+            opts.append(selinux)
+
     args = f"{source}:{target}"
     if opts:
         args += ":" + ",".join(opts)

From 3e1f7d554ba555e26648b31b1207be22ebaf4e3e Mon Sep 17 00:00:00 2001
From: charliemirabile <46761267+charliemirabile@users.noreply.github.com>
Date: Wed, 10 Apr 2024 15:29:03 -0400
Subject: [PATCH 2/2] add tests for selinux with verbose bind mount

based on seccomp test. Without the selinux option, visiting localhost:8080
will give a 404 error because httpd cannot access the file, but with selinux: z
the context for the file will be appropriately updated so httpd can access it

Signed-off-by: charliemirabile <46761267+charliemirabile@users.noreply.github.com>
---
 tests/selinux/docker-compose.yml | 14 ++++++++++++++
 1 file changed, 14 insertions(+)
 create mode 100644 tests/selinux/docker-compose.yml

diff --git a/tests/selinux/docker-compose.yml b/tests/selinux/docker-compose.yml
new file mode 100644
index 00000000..24caab6b
--- /dev/null
+++ b/tests/selinux/docker-compose.yml
@@ -0,0 +1,14 @@
+version: "3"
+services:
+  web1:
+    image: busybox
+    command: httpd -f -p 80 -h /var/www/html
+    volumes:
+      - type: bind
+        source: ./docker-compose.yml
+        target: /var/www/html/index.html
+        bind:
+          selinux: z
+    ports:
+      - "8080:80"
+