From 01b671bc79857273e4e3a25a81ee4ee772b8877f Mon Sep 17 00:00:00 2001
From: Daniel J Walsh <dwalsh@redhat.com>
Date: Wed, 22 Feb 2023 17:46:07 -0500
Subject: [PATCH] Don't hard code SELinux labels into code

These labels can be changed based on installed policy.

I am working on allowing containers within containers, but this
will require different SELinux label types other then container_file_t.

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
---
 drivers/overlay/overlay.go | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/drivers/overlay/overlay.go b/drivers/overlay/overlay.go
index 9f234105da..d85cdd9514 100644
--- a/drivers/overlay/overlay.go
+++ b/drivers/overlay/overlay.go
@@ -47,8 +47,7 @@ var (
 )
 
 const (
-	defaultPerms     = os.FileMode(0555)
-	selinuxLabelTest = "system_u:object_r:container_file_t:s0"
+	defaultPerms = os.FileMode(0555)
 )
 
 // This backend uses the overlay union filesystem for containers
@@ -657,6 +656,8 @@ func SupportsNativeOverlay(home, runhome string) (bool, error) {
 func supportsOverlay(home string, homeMagic graphdriver.FsMagic, rootUID, rootGID int) (supportsDType bool, err error) {
 	// We can try to modprobe overlay first
 
+	selinuxLabelTest := selinux.PrivContainerMountLabel()
+
 	exec.Command("modprobe", "overlay").Run()
 
 	logLevel := logrus.ErrorLevel