label option, from libpod.conf, is not being respected.

[fidencio]

Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)

/kind bug

Description

When playing with podman + kata, there's the need to always pass --security-opt label=disable to podman-run. A similar way to achieve that, but for all the containers, would be setting label = false in the libpod.conf. However, it doesn't seem to work.

Steps to reproduce the issue:

On a Fedora 31 machine, using cgroups v1. do:

1. dnf install kata-runtime
2. set label=false in the libpod.conf file
3. podman --runtime /usr/bin/kata-runtime run -it fedora /bin/bash

Describe the results you received:
Error: rpc error: code = Unknown desc = selinux label is specified in config, but selinux is disabled or not supported: OCI runtime error

Describe the results you expected:
Container would be started in the same way as if started using the following command-line: podman --runtime /usr/bin/kata-runtime run --security-opt label=disable fedora /bin/bash

Additional information you deem important (e.g. issue happens only occasionally):

Output of podman version:

podman version 1.7.0

Output of podman info --debug:

debug:
  compiler: gc
  git commit: ""
  go version: go1.13.5
  podman version: 1.7.0
host:
  BuildahVersion: 1.12.0
  CgroupVersion: v1
  Conmon:
    package: conmon-2.0.9-2.fc31.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.0.9, commit: 7d46f3e7711aa3578488284ae2f98b447658f086'
  Distribution:
    distribution: fedora
    version: "31"
  MemFree: 5537505280
  MemTotal: 33534525440
  OCIRuntime:
    name: crun
    package: crun-0.10.6-1.fc31.x86_64
    path: /usr/bin/crun
    version: |-
      crun version 0.10.6
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +YAJL
  SwapFree: 0
  SwapTotal: 0
  arch: amd64
  cpus: 12
  eventlogger: journald
  hostname: laerte
  kernel: 5.4.13-201.fc31.x86_64
  os: linux
  rootless: false
  uptime: 149h 40m 23.83s (Approximately 6.21 days)
registries:
  search:
  - docker.io
  - registry.fedoraproject.org
  - registry.access.redhat.com
  - registry.centos.org
  - quay.io
store:
  ConfigFile: /etc/containers/storage.conf
  ContainerStore:
    number: 3
  GraphDriverName: overlay
  GraphOptions:
    overlay.mountopt: nodev,metacopy=on
  GraphRoot: /var/lib/containers/storage
  GraphStatus:
    Backing Filesystem: extfs
    Native Overlay Diff: "false"
    Supports d_type: "true"
    Using metacopy: "true"
  ImageStore:
    number: 7
  RunRoot: /var/run/containers/storage
  VolumePath: /var/lib/containers/storage/volumes

Package info (e.g. output of rpm -q podman or apt list podman):

podman-1.7.0-2.fc31.x86_64

Additional environment details (AWS, VirtualBox, physical, etc.):
Physical machine.

[mheon]

@rhatdan PTAL. I doubt containers.conf is going to fix this, that's just moving around where we source the config value from.

[rhatdan]

Well we have an SELinux test right now, and it should be fixed in containers.conf.

[vrothberg]

It's still a regression that should be fixed in libpod.conf.