Setting selinuxlabel="z" in the client driver config breaks CSI hostpath plugin job

[jdoss]

I was trying to get the csi-hostpath plugin working on Fedora CoreOS which has SELinux set to enforcing by default. I kept getting this error:

rpc error: code = Unknown desc = failed to start task, could not start container: cannot start container, status code: 500: {"cause":"SELinux relabeling of /dev is not allowed","message":"SELinux relabeling of /dev is not allowed","response":500}

Removing selinuxlabel = "z" from the plugin section of the client config allows the job to start without this error.

plugin "nomad-driver-podman" {
          config {
            volumes {
              enabled      = true
              selinuxlabel = "z"
            }
          }
        }

Now I have to explicitly set on volumes

config {
        image = "docker.io/fluent/fluentd:latest"
        volumes = [
          "local/fluent.conf:/fluentd/etc/fluent.conf:z"
        ]
      }

which isn't a huge deal, but we should document this in the README (I can PR that if that's the best course of action) or not apply the automatic selinuxlabel to CSI plugin jobs (I am not sure if that is even possible).

[jdoss]

This might fix things here too? https://github.com/hashicorp/nomad-driver-podman/pull/66

[jdoss]

@tgross can #66 get merged? I just verified that it fixes this issue.

[tgross]

It never got reviewed for some reason and currently has a merge conflict. This week the team has their plate full with the Nomad 1.4.0 release but I'll try to nudge folks about taking a look soon.