postCreateCommand fails with EACCES using Docker Engine on an SELinux enforcing system

[strugee]

Basically, what the title says. See also #548; it appears that this bug is caused because the fix there was incomplete. In particular, having skimmed that issue to get a vague, possibly-incorrect understanding that the fix was to detect if the build phase was occurring under Buildah, I see two problems with this:

• Buildah (and Podman) can be run on non-SELinux systems, where this SELinux handling is not necessary (though AFAIK, it's a noop, so making it apply unconditionally is an option for a fix)
• SELinux restrictions are also hitting other, non-build phases - in my case, the postCreateCommand specified in devcontainer.json.

STR (these aren't my exact STR since I'm simplifying out Silverblue-related environmental setup that I'm confident doesn't matter - but if you somehow can't reproduce, I can provide more specific STR)

1. Install Fedora
2. Install Node from somewhere
3. npm install -g @devcontainers/cli
4. Clone home-assistant/core@4721f8e and cd into it
5. devcontainer up --workspace-folder .

Expected result: the command succeeds.

Actual result:

[lots of irrelevant output]
Step 10/10 : USER $IMAGE_USER
 ---> Using cache
 ---> 3876e42a0eba
Successfully built 3876e42a0eba
Successfully tagged vsc-core-6cd99f764fb93154741da6b8ffb75e0d12d5e8fa5728b883b20a277436d294a0-uid:latest
[4768 ms] Start: Run: docker run --sig-proxy=false -a STDOUT -a STDERR -p 8123:8123 -p 5683:5683/udp --mount type=bind,source=/var/home/alex/Development/core,target=/workspaces/core -l devcontainer.local_folder=/var/home/alex/Development/core -l devcontainer.config_file=/var/home/alex/Development/core/.devcontainer/devcontainer.json -e PYTHONASYNCIODEBUG=1 -e GIT_EDITOR=code --wait --entrypoint /bin/sh vsc-core-6cd99f764fb93154741da6b8ffb75e0d12d5e8fa5728b883b20a277436d294a0-uid -c echo Container started
Container started
Running the postCreateCommand from devcontainer.json...

/bin/sh: 1: script/setup: Permission denied
[7214 ms] postCreateCommand failed with exit code 126. Skipping any further user-provided commands.
Error: Command failed: /bin/sh -c script/setup
    at G7 (/var/home/alex/.local/lib/node_modules/@devcontainers/cli/dist/spec-node/devContainersSpecCLI.js:235:130)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async tm (/var/home/alex/.local/lib/node_modules/@devcontainers/cli/dist/spec-node/devContainersSpecCLI.js:227:4483)
    at async $w (/var/home/alex/.local/lib/node_modules/@devcontainers/cli/dist/spec-node/devContainersSpecCLI.js:227:3828)
    at async em (/var/home/alex/.local/lib/node_modules/@devcontainers/cli/dist/spec-node/devContainersSpecCLI.js:227:3032)
    at async pa (/var/home/alex/.local/lib/node_modules/@devcontainers/cli/dist/spec-node/devContainersSpecCLI.js:227:2438)
    at async FtA (/var/home/alex/.local/lib/node_modules/@devcontainers/cli/dist/spec-node/devContainersSpecCLI.js:465:1534)
    at async bH (/var/home/alex/.local/lib/node_modules/@devcontainers/cli/dist/spec-node/devContainersSpecCLI.js:465:964)
    at async TtA (/var/home/alex/.local/lib/node_modules/@devcontainers/cli/dist/spec-node/devContainersSpecCLI.js:482:3848)
    at async iB (/var/home/alex/.local/lib/node_modules/@devcontainers/cli/dist/spec-node/devContainersSpecCLI.js:482:4963)
{"outcome":"error","message":"Command failed: /bin/sh -c script/setup","description":"The postCreateCommand in the devcontainer.json failed.","containerId":"436ea8eaa4dfec5e42c5011ea09cbc45b7f980d8922054c7e93e1ce70cf6bc38"}

Environment info:

% docker --version
Docker version 24.0.5, build %{shortcommit_cli}

% devcontainer --version
0.71.0

% node --version
v20.12.2

% cat /etc/os-release # This is talking about a container image because I'm using Fedora Silverblue and running these commands inside a https://containertoolbx.org/ container - but Docker is running on the host; see below
NAME="Fedora Linux"
VERSION="39 (Container Image)"
ID=fedora
VERSION_ID=39
VERSION_CODENAME=""
PLATFORM_ID="platform:f39"
PRETTY_NAME="Fedora Linux 39 (Container Image)"
ANSI_COLOR="0;38;2;60;110;180"
LOGO=fedora-logo-icon
CPE_NAME="cpe:/o:fedoraproject:fedora:39"
DEFAULT_HOSTNAME="fedora"
HOME_URL="https://fedoraproject.org/"
DOCUMENTATION_URL="https://docs.fedoraproject.org/en-US/fedora/f39/system-administrators-guide/"
SUPPORT_URL="https://ask.fedoraproject.org/"
BUG_REPORT_URL="https://bugzilla.redhat.com/"
REDHAT_BUGZILLA_PRODUCT="Fedora"
REDHAT_BUGZILLA_PRODUCT_VERSION=39
REDHAT_SUPPORT_PRODUCT="Fedora"
REDHAT_SUPPORT_PRODUCT_VERSION=39
SUPPORT_END=2024-11-12
VARIANT="Container Image"
VARIANT_ID=container

% type docker
docker is /var/home/alex/bin/docker

% cat ~/bin/docker # Basically, this script detects whether it's being run inside a toolbx container, and if it is, it runs the real command on the host instead of the container, to circumvent container-inside-container issues
#!/bin/sh

BINARY=$(basename $0)

CMDPREFIX=
test -f /run/.toolboxenv && CMDPREFIX='flatpak-spawn --host'

# Can't use `command` because this is a script, not a function/alias.
# This is evil because it breaks with paths including newlines, but those paths are evil anyway.
exec $CMDPREFIX $($CMDPREFIX which -a $BINARY | grep -Fve '~/bin/' -e ~/bin/ | head -1) "$@"

% flatpak-spawn --host getenforce # flatpak-spawn because getenforce doesn't exist inside the toolbx container image
Enforcing