containers · kolyshkin · May 13, 2026
diff --git a/.golangci.yml b/.golangci.yml
@@ -79,6 +79,11 @@ linters:
       - linters:
           - unused
         text: "(rootlessPortSyncR|rootlessPortSyncW)"
+      # TODO: remove once https://github.com/leighmcculloch/gocheckcompilerdirectives/issues/7 is fixed.
+      - text: "compiler directive unrecognized: //go:fix"
+        linters:
+          - gocheckcompilerdirectives
+
 
 issues:
   max-issues-per-linter: 0

diff --git a/go.mod b/go.mod
@@ -53,7 +53,7 @@ require (
 	github.com/opencontainers/image-spec v1.1.1
 	github.com/opencontainers/runtime-spec v1.3.0
 	github.com/opencontainers/runtime-tools v0.9.1-0.20260316125833-8a4db579f5c8
-	github.com/opencontainers/selinux v1.14.1
+	github.com/opencontainers/selinux v1.15.0
 	github.com/openshift/imagebuilder v1.2.21
 	github.com/rootless-containers/rootlesskit/v2 v2.3.6
 	github.com/shirou/gopsutil/v4 v4.26.4
@@ -188,3 +188,5 @@ require (
 	gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 // indirect
 	tags.cncf.io/container-device-interface/specs-go v1.1.0 // indirect
 )
+
+replace github.com/opencontainers/selinux => github.com/kolyshkin/selinux v1.0.0-rc1.0.20260518175914-f8d72733cb1b
diff --git a/go.sum b/go.sum
@@ -211,6 +211,8 @@ github.com/klauspost/compress v1.18.6 h1:2jupLlAwFm95+YDR+NwD2MEfFO9d4z4Prjl1XXD
 github.com/klauspost/compress v1.18.6/go.mod h1:cwPg85FWrGar70rWktvGQj8/hthj3wpl0PGDogxkrSQ=
 github.com/klauspost/pgzip v1.2.6 h1:8RXeL5crjEUFnR2/Sn6GJNWtSQ3Dk8pq4CL3jvdDyjU=
 github.com/klauspost/pgzip v1.2.6/go.mod h1:Ch1tH69qFZu15pkjo5kYi6mth2Zzwzt50oCQKQE9RUs=
+github.com/kolyshkin/selinux v1.0.0-rc1.0.20260518175914-f8d72733cb1b h1:HfvF/GDLatMGUDcJ5oGnQ9VuhSCSBpoqDPehJpm7lto=
+github.com/kolyshkin/selinux v1.0.0-rc1.0.20260518175914-f8d72733cb1b/go.mod h1:LenyElirjUHszfxrjuFqC85HIeXZKumHcKMQtnaDlQQ=
 github.com/kr/fs v0.1.0 h1:Jskdu9ieNAYnjxsi0LbQp1ulIKZV1LAFgK1tWhpZgl8=
 github.com/kr/fs v0.1.0/go.mod h1:FFnZGqtBN9Gxj7eW1uZ42v5BccTP0vu6NEaFoC2HwRg=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
@@ -297,8 +299,6 @@ github.com/opencontainers/runtime-spec v1.3.0 h1:YZupQUdctfhpZy3TM39nN9Ika5CBWT5
 github.com/opencontainers/runtime-spec v1.3.0/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
 github.com/opencontainers/runtime-tools v0.9.1-0.20260316125833-8a4db579f5c8 h1:2NAWFjN0PmdIe3XojVL9wf3lJ1//VqAgc7MOSYHQslE=
 github.com/opencontainers/runtime-tools v0.9.1-0.20260316125833-8a4db579f5c8/go.mod h1:DKDEfzxvRkoQ6n9TGhxQgg2IM1lY4aM0eaQP4e3oElw=
-github.com/opencontainers/selinux v1.14.1 h1:a7XlXV/nN/l5zFP1FWZYoExpClu1QOPMfWUV2CZ8kEQ=
-github.com/opencontainers/selinux v1.14.1/go.mod h1:LenyElirjUHszfxrjuFqC85HIeXZKumHcKMQtnaDlQQ=
 github.com/openshift/imagebuilder v1.2.21 h1:XX0tZVznWTxzYevvNVZ/0eeTzmgY6cfcT4/xjs5ToyU=
 github.com/openshift/imagebuilder v1.2.21/go.mod h1:+L09sXUQ0RPdCU1tmzKrfBhqMlYvZtaA3MHb7aTjVU8=
 github.com/pierrec/lz4/v4 v4.1.21 h1:yOVMLb6qSIDP67pl/5F7RepeKYu/VmTyEXvuMI5d9mQ=

diff --git a/libpod/container_internal.go b/libpod/container_internal.go
@@ -24,6 +24,7 @@ import (
 	securejoin "github.com/cyphar/filepath-securejoin"
 	spec "github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/opencontainers/runtime-tools/generate"
+	"github.com/opencontainers/selinux/go-selinux"
 	"github.com/opencontainers/selinux/go-selinux/label"
 	"github.com/sirupsen/logrus"
 	"go.podman.io/buildah/copier"
@@ -44,7 +45,6 @@ import (
 	envLib "go.podman.io/podman/v6/pkg/env"
 	"go.podman.io/podman/v6/pkg/lookup"
 	"go.podman.io/podman/v6/pkg/rootless"
-	"go.podman.io/podman/v6/pkg/selinux"
 	"go.podman.io/podman/v6/pkg/systemd/notifyproxy"
 	"go.podman.io/podman/v6/pkg/util"
 	"go.podman.io/storage"
@@ -573,9 +573,9 @@ func (c *Container) processLabel(processLabel string) (string, error) {
 	if !ok || !strings.Contains(label, "type:") {
 		switch {
 		case c.ociRuntime.SupportsKVM():
-			return selinux.KVMLabel(processLabel)
+			return selinux.ChangeLabelType(processLabel, selinux.TypeKVMProcess)
 		case c.Systemd():
-			return selinux.InitLabel(processLabel)
+			return selinux.ChangeLabelType(processLabel, selinux.TypeInitProcess)
 		}
 	}
 	return processLabel, nil

diff --git a/pkg/selinux/selinux.go b/pkg/selinux/selinux.go
@@ -4,43 +4,20 @@ import (
 	"github.com/opencontainers/selinux/go-selinux"
 )
 
-// KVMLabel returns labels for running kvm isolated containers
+// KVMLabel returns labels for running kvm isolated containers.
+//
+// Deprecated: use [selinux.ChangeLabelType].
+//
+//go:fix inline
 func KVMLabel(cLabel string) (string, error) {
-	if cLabel == "" {
-		// selinux is disabled
-		return "", nil
-	}
-	processLabel, err := selinux.KVMContainerLabel()
-	if err != nil {
-		return "", err
-	}
-	selinux.ReleaseLabel(processLabel)
-	return swapSELinuxLabel(cLabel, processLabel)
+	return selinux.ChangeLabelType(cLabel, selinux.TypeKVMProcess)
 }
 
-// InitLabel returns labels for running systemd based containers
+// InitLabel returns labels for running systemd based containers.
+//
+// Deprecated: use [selinux.ChangeLabelType].
+//
+//go:fix inline
 func InitLabel(cLabel string) (string, error) {
-	if cLabel == "" {
-		// selinux is disabled
-		return "", nil
-	}
-	processLabel, err := selinux.InitContainerLabel()
-	if err != nil {
-		return "", err
-	}
-	selinux.ReleaseLabel(processLabel)
-	return swapSELinuxLabel(cLabel, processLabel)
-}
-
-func swapSELinuxLabel(cLabel, processLabel string) (string, error) {
-	dcon, err := selinux.NewContext(cLabel)
-	if err != nil {
-		return "", err
-	}
-	scon, err := selinux.NewContext(processLabel)
-	if err != nil {
-		return "", err
-	}
-	dcon["type"] = scon["type"]
-	return dcon.Get(), nil
+	return selinux.ChangeLabelType(cLabel, selinux.TypeInitProcess)
 }
diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/label/label_linux.go b/vendor/github.com/opencontainers/selinux/go-selinux/label/label_linux.go
diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/selinux.go b/vendor/github.com/opencontainers/selinux/go-selinux/selinux.go
diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_linux.go
diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go b/vendor/github.com/opencontainers/selinux/go-selinux/selinux_stub.go
diff --git a/vendor/modules.txt b/vendor/modules.txt
@@ -511,7 +511,7 @@ github.com/opencontainers/runtime-spec/specs-go
 github.com/opencontainers/runtime-tools/generate
 github.com/opencontainers/runtime-tools/generate/seccomp
 github.com/opencontainers/runtime-tools/validate/capabilities
-# github.com/opencontainers/selinux v1.14.1
+# github.com/opencontainers/selinux v1.15.0 => github.com/kolyshkin/selinux v1.0.0-rc1.0.20260518175914-f8d72733cb1b
 ## explicit; go 1.22
 github.com/opencontainers/selinux/go-selinux
 github.com/opencontainers/selinux/go-selinux/label
@@ -1182,3 +1182,4 @@ tags.cncf.io/container-device-interface/pkg/parser
 # tags.cncf.io/container-device-interface/specs-go v1.1.0
 ## explicit; go 1.19
 tags.cncf.io/container-device-interface/specs-go
+# github.com/opencontainers/selinux => github.com/kolyshkin/selinux v1.0.0-rc1.0.20260518175914-f8d72733cb1b