dockerd-rootless.sh: avoid /run/xtables.lock EACCES on SELinux hosts

Previously, running dockerd-rootless.sh on SELinux-enabled hosts
was failing with "can't open lock file /run/xtables.lock: Permission denied" error.
(issue 41230).

This commit avoids hitting the error by relabeling /run in the RootlessKit child.
The actual /run on the parent is unaffected.

e6fc34b71a/libpod/networking_linux.go (L396-L401)

Tested on Fedora 34

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
(cherry picked from commit cdaf82ba3f)
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>

contrib/dockerd-rootless.sh

@@ -84,6 +84,12 @@ if [ -z $_DOCKERD_ROOTLESS_CHILD ]; then
 		echo "This script must be executed as a non-privileged user"
 		exit 1
 	fi
+	# `selinuxenabled` always returns false in RootlessKit child, so we execute `selinuxenabled` in the parent.
+	# https://github.com/rootless-containers/rootlesskit/issues/94
+	if command -v selinuxenabled > /dev/null 2>&1 && selinuxenabled; then
+		_DOCKERD_ROOTLESS_SELINUX=1
+		export _DOCKERD_ROOTLESS_SELINUX
+	fi
 	# Re-exec the script via RootlessKit, so as to create unprivileged {user,mount,network} namespaces.
 	#
 	# --copy-up allows removing/creating files in the directories by creating tmpfs and symlinks
@@ -105,5 +111,12 @@ else
 	# remove the symlinks for the existing files in the parent namespace if any,
 	# so that we can create our own files in our mount namespace.
 	rm -f /run/docker /run/containerd /run/xtables.lock
+
+	if [ -n "$_DOCKERD_ROOTLESS_SELINUX" ]; then
+		# iptables requires /run in the child to be relabeled. The actual /run in the parent is unaffected.
+		# https://github.com/containers/podman/blob/e6fc34b71aa9d876b1218efe90e14f8b912b0603/libpod/networking_linux.go#L396-L401
+		# https://github.com/moby/moby/issues/41230
+		chcon system_u:object_r:iptables_var_run_t:s0 /run
+	fi
 	exec dockerd $@
 fi