From d9011b36176d6245bdc25401633c213d73e14ea0 Mon Sep 17 00:00:00 2001
From: Dan Walsh <dwalsh@redhat.com>
Date: Wed, 28 Oct 2015 15:41:46 -0400
Subject: [PATCH] Fix relabel for SELinux

With the changes merged into runc/libcontainer, are now causing
SELinux to attempt a relabel always, even if the user did not
request the relabel.

If the user does not specify Z or z on the volume mount we should
not attempt a relabel.

Signed-off-by: Dan Walsh <dwalsh@redhat.com>
---
 daemon/volumes.go | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/daemon/volumes.go b/daemon/volumes.go
index cca889830f..a589de66ae 100644
--- a/daemon/volumes.go
+++ b/daemon/volumes.go
@@ -135,9 +135,10 @@ func (daemon *Daemon) registerMountPoints(container *Container, hostConfig *runc
 			bind.Driver = v.DriverName()
 			bind = setBindModeIfNull(bind)
 		}
-		shared := label.IsShared(bind.Mode)
-		if err := label.Relabel(bind.Source, container.MountLabel, shared); err != nil {
-			return err
+		if label.RelabelNeeded(bind.Mode) {
+			if err := label.Relabel(bind.Source, container.MountLabel, label.IsShared(bind.Mode)); err != nil {
+				return err
+			}
 		}
 		binds[bind.Destination] = true
 		mountPoints[bind.Destination] = bind