e2e: fix run_volume_test

[sstosh]

When SELinux is running in enforcing mode,
this test needs to add an suffix :Z to the volume mount.

Signed-off-by: Toshiki Sonoda [email protected]

Does this PR introduce a user-facing change?

None

[rhatdan]

/approve
LGTM
@containers/podman-maintainers PTAL
@edsantiago Thoughts on why this is passing on CI/CD system up til now?

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: rhatdan, sstosh

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [rhatdan]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[edsantiago]

There seems to be something magic about /tmp, it does not need SELinux muckery for stat()ing a file (it does for opendir()):

$ i=quay.io/libpod/testimage:20221018
$ mkdir -p /tmp/foo foo
$ touch /tmp/foo/myfile foo/myfile
$ bin/podman run -v /tmp/foo:/data $i ls -l /data/myfile
-rw-rw-r--    1 root     root             0 Jan  4 14:05 /data/myfile
$ bin/podman run -v $(pwd)/foo:/data $i ls -l /data/myfile
ls: /data/myfile: Permission denied       ---- but works with :Z 

! Neither /tmp nor pwd work when given the dirname, not the file path
$ bin/podman run -v /tmp/foo:/data $i ls -l /data
ls: can't open '/data': Permission denied
total 0

Why that is, I defer to you.

[rhatdan]

ls -ldZ /tmp/foo

Might be a (Dir) read allowed, if we switched to touch it should blow up.

[rhatdan]

$ sesearch -A -s container_t -c dir -p read | grep tmp
allow domain tmpfs_t:dir { add_name getattr ioctl lock open read remove_name search write }

[rhatdan]

/lgtm
Anyways this is the correct fix, I have no idea what else is going on.