chore: add SELinux option Z for all read-only volume mounts

scripts/release_scripts/run_macaron.sh

@@ -257,7 +257,7 @@ if [[ -n "${arg_defaults_path:-}" ]]; then
     argv_main+=("--defaults-path" "${MACARON_WORKSPACE}/defaults/${file_name}")
 
     defaults_path="$(ensure_absolute_path "${defaults_path}")"
-    mounts+=("-v" "${defaults_path}:${MACARON_WORKSPACE}/defaults/${file_name}:ro")
+    mounts+=("-v" "${defaults_path}:${MACARON_WORKSPACE}/defaults/${file_name}:ro,Z")
 fi
 
 # Determine the policy path to be mounted into ${MACARON_WORKSPACE}/policy/${file_name}
@@ -268,7 +268,7 @@ if [[ -n "${arg_policy:-}" ]]; then
     argv_main+=("--policy" "${MACARON_WORKSPACE}/policy/${file_name}")
 
     policy="$(ensure_absolute_path "${policy}")"
-    mounts+=("-v" "${policy}:${MACARON_WORKSPACE}/policy/${file_name}:ro")
+    mounts+=("-v" "${policy}:${MACARON_WORKSPACE}/policy/${file_name}:ro,Z")
 fi
 
 # MACARON entrypoint - Analyze action argvs
@@ -280,7 +280,7 @@ if [[ -n "${arg_template_path:-}" ]]; then
     argv_action+=("--template-path" "${MACARON_WORKSPACE}/template/${file_name}")
 
     template_path="$(ensure_absolute_path "${template_path}")"
-    mounts+=("-v" "${template_path}:${MACARON_WORKSPACE}/template/${file_name}:ro")
+    mounts+=("-v" "${template_path}:${MACARON_WORKSPACE}/template/${file_name}:ro,Z")
 fi
 
 # Determine the config path to be mounted into ${MACARON_WORKSPACE}/config/${file_name}
@@ -291,7 +291,7 @@ if [[ -n "${arg_config_path:-}" ]]; then
     argv_action+=("--config-path" "${MACARON_WORKSPACE}/config/${file_name}")
 
     config_path="$(ensure_absolute_path "${config_path}")"
-    mounts+=("-v" "${config_path}:${MACARON_WORKSPACE}/config/${file_name}:ro")
+    mounts+=("-v" "${config_path}:${MACARON_WORKSPACE}/config/${file_name}:ro,Z")
 fi
 
 # Determine the sbom path to be mounted into ${MACARON_WORKSPACE}/sbom/${file_name}
@@ -302,7 +302,7 @@ if [[ -n "${arg_sbom_path:-}" ]]; then
     argv_action+=("--sbom-path" "${MACARON_WORKSPACE}/sbom/${file_name}")
 
     sbom_path="$(ensure_absolute_path "${sbom_path}")"
-    mounts+=("-v" "${sbom_path}:${MACARON_WORKSPACE}/sbom/${file_name}:ro")
+    mounts+=("-v" "${sbom_path}:${MACARON_WORKSPACE}/sbom/${file_name}:ro,Z")
 fi
 
 # Determine the provenance expectation path to be mounted into ${MACARON_WORKSPACE}/prov_expectations/${file_name}
@@ -313,7 +313,7 @@ if [[ -n "${arg_prov_exp:-}" ]]; then
     argv_action+=("--provenance-expectation" "${MACARON_WORKSPACE}/prov_expectations/${pe_name}")
 
     prov_exp="$(ensure_absolute_path "${prov_exp}")"
-    mounts+=("-v" "${prov_exp}:${MACARON_WORKSPACE}/prov_expectations/${pe_name}:ro")
+    mounts+=("-v" "${prov_exp}:${MACARON_WORKSPACE}/prov_expectations/${pe_name}:ro,Z")
 fi
 
 # MACARON entrypoint - verify-policy action argvs
@@ -337,17 +337,17 @@ if [[ -n "${arg_datalog_policy_file:-}" ]]; then
     argv_action+=("--file" "${MACARON_WORKSPACE}/policy/${file_name}")
 
     datalog_policy_file="$(ensure_absolute_path "${datalog_policy_file}")"
-    mounts+=("-v" "${datalog_policy_file}:${MACARON_WORKSPACE}/policy/${file_name}:ro")
+    mounts+=("-v" "${datalog_policy_file}:${MACARON_WORKSPACE}/policy/${file_name}:ro,Z")
 fi
 
 # Determine that ~/.gradle/gradle.properties exists to be mounted into ${MACARON_WORKSPACE}/gradle.properties
 if [[ -f "$HOME/.gradle/gradle.properties" ]]; then
-    mounts+=("-v" "$HOME/.gradle/gradle.properties":"${MACARON_WORKSPACE}/gradle.properties:ro")
+    mounts+=("-v" "$HOME/.gradle/gradle.properties":"${MACARON_WORKSPACE}/gradle.properties:ro,Z")
 fi
 
 # Determine that ~/.m2/settings.xml exists to be mounted into ${MACARON_WORKSPACE}/settings.xml
 if [[ -f "$HOME/.m2/settings.xml" ]]; then
-    mounts+=("-v" "$HOME/.m2/settings.xml":"${MACARON_WORKSPACE}/settings.xml:ro")
+    mounts+=("-v" "$HOME/.m2/settings.xml":"${MACARON_WORKSPACE}/settings.xml:ro,Z")
 fi
 
 # Set up proxy.