Unsupported volume bind option SELinux label :z and :Z in v2

[tymonx]

Description

Unsupported volume bind option SELinux label :z and :Z in v2. It is a regression compared to v1 written in Python.
The v2 uses the compose-spec/compose-go to parse Compose
YAML specification files but there is missing support for volume bind option SELinux label :z and :Z in parser.

Steps to reproduce the issue:

It requires Linux distribution with enabled SELinux (like Fedora).

1. Download docker-compose binary or compile it from source for version v2.0.0 to v2.2.2 (latest)
2. Create a new local directory dir:

mkdir -p dir

3. Set the SELinux label user_home_t for the local directory dir:

sudo chcon -R --type user_home_t ./dir

4. Create very simple compose.yml YAML file:

---
version: '3.8'

services:
    test:
        image: alpine
        volumes:
            - ./dir:/dir:ro,z
        command: [ls, -al, /dir]
...

5. Start service:

docker compose up

Describe the results you received:

compose-test-1  | ls: can't open '/dir': Permission denied
compose-test-1  | total 0
compose-test-1 exited with code 1

Describe the results you expected:

compose-test-1  | total 0
compose-test-1  | drwxrwxr-x    1 1000     1000             0 Jan  1 13:26 .
compose-test-1  | drwxr-xr-x    1 root     root           140 Jan  1 13:29 ..
compose-test-1 exited with code 0

Additional information you deem important (e.g. issue happens only occasionally):

It happens always and it is a regression compared to v1. Working workarounds:

• sudo chcon -R --type container_file_t ./dir
• privileged: true
• security_opt: [label=disable]
• disable SELinux

Output of docker compose version:

Docker Compose version v2.2.2

Output of docker info:

Client:
 Context:    default
 Debug Mode: false
 Plugins:
  compose: Docker Compose (Docker Inc., v2.2.2)

Server:
 Containers: 20
  Running: 0
  Paused: 0
  Stopped: 20
 Images: 753
 Server Version: 20.10.11
 Storage Driver: btrfs
  Build Version: Btrfs v5.14.2 
  Library Version: 102
 Logging Driver: journald
 Cgroup Driver: systemd
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runtime.v1.linux runc io.containerd.runc.v2
 Default Runtime: runc
 Init Binary: /usr/libexec/docker/docker-init
 containerd version: 
 runc version: c42bf99-dirty
 init version: 
 Security Options:
  seccomp
   Profile: default
  selinux
  cgroupns
 Kernel Version: 5.15.12-200.fc35.x86_64
 Operating System: Fedora Linux 35.20220101.0 (Kinoite)
 OSType: linux
 Architecture: x86_64
 CPUs: 32
 Total Memory: 125.8GiB
 Name: fedora
 ID: UY32:WCEB:7QP2:NC2Q:SA77:4A3M:5K6L:VITH:PUZB:6M6R:SIBV:J62A
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Registry: https://index.docker.io/v1/
 Labels:
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: true

Additional environment details:

None

[tymonx]

I was trying to use the docker-compose CLI v2 with SELinux label bind option but there is a regression compared to the CLI v1 written in Python. Because of that I have created several patches:

• documenting SELinux bind option Added volume bind option SELinux :z :Z Added volume bind option SELinux :z :Z compose-spec/compose-spec#221
• adding support for :z :Z in Compose Go YAML parser Added support for volume bind option SELinux :z :Z Added support for volume bind option SELinux :z :Z compose-spec/compose-go#213
• currently working on adding support for :z :Z options in the docker-compose CLI v2

[tymonx]

This will fix the issue #9073