proposed fix

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>

libcontainer/container_linux.go

@@ -11,12 +11,14 @@ import (
 	"path"
 	"path/filepath"
 	"reflect"
+	"runtime"
 	"strconv"
 	"strings"
 	"sync"
 	"time"
 
 	"github.com/opencontainers/runtime-spec/specs-go"
+	"github.com/opencontainers/selinux/go-selinux"
 	"github.com/sirupsen/logrus"
 	"github.com/vishvananda/netlink/nl"
 	"golang.org/x/sys/execabs"
@@ -512,7 +514,18 @@ func (c *Container) newParentProcess(p *Process) (parentProcess, error) {
 	} else {
 		var err error
 		if isDmzBinarySafe(c.config) {
+			if label := c.config.ProcessLabel; label != "" {
+				runtime.LockOSThread()
+				if err := selinux.SetFSCreateLabel(label); err != nil {
+					runtime.UnlockOSThread()
+					return nil, fmt.Errorf("unable to set selinux fs create label: %w", err)
+				}
+			}
 			dmzExe, err = dmz.Binary(c.stateDir)
+			if c.config.ProcessLabel != "" {
+				selinux.SetFSCreateLabel("")
+				runtime.UnlockOSThread()
+			}
 			if err == nil {
 				// We can use our own executable without cloning if we are using
 				// runc-dmz.