From e0b22c0b9e013527ef121250b51ae780d2d2912d Mon Sep 17 00:00:00 2001
From: Antonio Murdaca <runcom@redhat.com>
Date: Sat, 9 Sep 2017 01:22:09 +0200
Subject: [PATCH] volume: evaluate symlinks before relabeling mount source

Simple reproducer:

```sh
$ mkdir /var/foo
$ touch /var/foo/test
$ ln -s /var/foo /var/bar
$ docker run -ti -v /var/bar:/var/bar:Z fedora sh
sh-4.3# ls -lZ /var/bar/
ls: cannot open directory '/var/bar/': Permission denied
```

Signed-off-by: Antonio Murdaca <runcom@redhat.com>
---
 volume/volume.go | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/volume/volume.go b/volume/volume.go
index 4aa4de513d..b8ec1e5a00 100644
--- a/volume/volume.go
+++ b/volume/volume.go
@@ -3,6 +3,7 @@ package volume
 import (
 	"fmt"
 	"os"
+	"path/filepath"
 	"syscall"
 	"time"
 
@@ -155,13 +156,20 @@ func (m *MountPoint) Setup(mountLabel string, rootIDs idtools.IDPair, checkFun f
 			return
 		}
 
-		err = label.Relabel(m.Source, mountLabel, label.IsShared(m.Mode))
+		var sourcePath string
+		sourcePath, err = filepath.EvalSymlinks(m.Source)
+		if err != nil {
+			path = ""
+			err = errors.Wrapf(err, "error evaluating symlinks from mount source %q", m.Source)
+			return
+		}
+		err = label.Relabel(sourcePath, mountLabel, label.IsShared(m.Mode))
 		if err == syscall.ENOTSUP {
 			err = nil
 		}
 		if err != nil {
 			path = ""
-			err = errors.Wrapf(err, "error setting label on mount source '%s'", m.Source)
+			err = errors.Wrapf(err, "error setting label on mount source '%s'", sourcePath)
 		}
 	}()