fix(docker): support SELinux shared label, fixes #7196

[stasadev]

The Issue

• Error: cp: cannot access '/mnt/ddev_config/nginx_full': Permission denied; Fedora with SELinux #7196

How This PR Solves The Issue

Adds SELinux shared label "z" to service volumes in docker-compose https://docs.docker.com/engine/storage/bind-mounts/#configure-the-selinux-label

Adds "-selinux" suffix to docker platform in ddev version.

Manual Testing Instructions

Using Fedora, check for enabled SELinux:

$ sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      35

---

With Docker and Fedora (docker context use default):

1. Configure Docker to use SELinux:

   $ cat /etc/docker/daemon.json
   {
       "selinux-enabled": true
   }

2. Restart the daemon sudo systemctl restart docker

3. Check for docker info | grep -B5 selinux, should be here

4. Create a directory, check permissions (user_home_t):

   $ mkdir my-project
   $ ls -ldZ my-project
   drwxr-xr-x. 1 stas stas unconfined_u:object_r:user_home_t:s0 28 Dec 12 17:30 my-project

5. Run cd my-project && ddev config --auto && ddev start - success!

6. Check permissions (container_file_t):

   $ ls -ldZ my-project
   drwxr-xr-x. 1 stas stas system_u:object_r:container_file_t:s0 28 Dec 12 17:30 my-project

---

With Podman and Fedora (docker context use podman-rootless, see ddev/ddev.com#476):

1. Check for docker info | grep -B5 selinux, should be here by default

2. Create a directory, check permissions (user_home_t):

   $ mkdir my-project
   $ ls -ldZ my-project
   drwxr-xr-x. 1 stas stas unconfined_u:object_r:user_home_t:s0 28 Dec 12 17:30 my-project

3. Run cd my-project && ddev config --auto && ddev start - success!

4. Check permissions (container_file_t):

   $ ls -ldZ my-project
   drwxr-xr-x. 1 stas stas system_u:object_r:container_file_t:s0 28 Dec 12 17:30 my-project

Automated Testing Overview

Release/Deployment Notes

[github-actions]

Download the artifacts for this pull request:

• all-ddev-executables.zip
• ddev-macos-amd64.zip
• ddev-macos-arm64.zip
• ddev-linux-arm64.zip
• ddev-linux-amd64.zip
• ddev-windows-amd64.zip
• ddev-windows-amd64-installer.zip
• ddev-windows-arm64.zip
• ddev-windows-arm64-installer.zip

See Testing a PR.

[rfay]

Works great, tested on same fedora with podman that was a complete failure before.

Should we show IsSELinux() in ddev version ? Probably (if on linux)

[stasadev]

Should we show IsSELinux() in ddev version ? Probably (if on linux)

Good idea, I'll add it.