expand_volume `::" shorthand missing SELinux label #63
Description
Note
This issue was identified and drafted by Claude Code during a SPEC.md review. Waiting for @asmacdo to confirm before acting on it.
Problem
expand_volume("~/data::ro") produces $HOME/data:$HOME/data:ro with no SELinux label suffix. On SELinux-enforcing systems (Fedora, RHEL), this causes EACCES when the container tries to access the mount.
The hardcoded gitconfig mount correctly uses ro,z, and the plain shorthand form (~/data) correctly appends :Z — but the :: form does not append any label.
Reproduce
On a Fedora host with SELinux enforcing:
# In .git/yolo/config:
YOLO_PODMAN_VOLUMES=("~/data::ro")
# Run yolo — the ~/data mount will fail with permission deniedExpected
~/data::ro should produce $HOME/data:$HOME/data:ro,Z (or ro,z), matching the behavior of other shorthand forms.
Notes
The config template comment in bin/yolo print_config_template() already documents the expected output as ro,Z:
# "~/projects::ro" -> ~/projects:~/projects:ro,Z (1-to-1 with options)
So the comment describes the intended behavior but expand_volume() doesn't implement it. The fix should append ,Z (or ,z to match the default mount convention) and the comment should be updated to match whichever is chosen.