rootfs-builder: SELinux relabel container volumes

rootfs.sh fails on machines with SELinux in enforcing mode if the
volumes aren't labelled.

This patch labels volumes so the container is able to access them.

In order to do this rootfs directory creation must be moved before the
Docker container is started.  Previously docker-run(1) would create the
rootfs directory in the USE_DOCKER case.

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Fixes: #266

rootfs-builder/rootfs.sh

@@ -305,6 +305,8 @@ if [ -z "$INSIDE_CONTAINER" ] ; then
 	trap error_handler ERR
 fi
 
+mkdir -p ${ROOTFS_DIR}
+
 if [ -n "${USE_DOCKER}" ] ; then
 	image_name="${distro}-rootfs-osbuilder"
 
@@ -330,6 +332,17 @@ if [ -n "${USE_DOCKER}" ] ; then
 
 	docker_run_args+=" $(docker_extra_args $distro)"
 
+	# Relabel volumes so SELinux allows access (see docker-run(1))
+	if which selinuxenabled 2&>1 >/dev/null && selinuxenabled ; then
+		for volume_dir in "${script_dir}" \
+				  "${ROOTFS_DIR}" \
+				  "${script_dir}/../scripts" \
+				  "${kernel_mod_dir}" \
+				  "${GOPATH_LOCAL}"; do
+			chcon -Rt svirt_sandbox_file_t "$volume_dir"
+		done
+	fi
+
 	#Make sure we use a compatible runtime to build rootfs
 	# In case Clear Containers Runtime is installed we dont want to hit issue:
 	#https://github.com/clearcontainers/runtime/issues/828
@@ -359,7 +372,6 @@ if [ -n "${USE_DOCKER}" ] ; then
 	exit $?
 fi
 
-mkdir -p ${ROOTFS_DIR}
 build_rootfs ${ROOTFS_DIR}
 pushd "${ROOTFS_DIR}" >> /dev/null
 if [ "$PWD" != "/" ] ; then