local-sdf-1 container won't start when selinux is enforcing

What happened?

I was getting an error when running si start

Error:
   0: docker api: error 500 Internal Server Error - Cannot link to a non running container: /local-sdf-1 AS /local-web-1/sdf
   1: error 500 Internal Server Error - Cannot link to a non running container: /local-sdf-1 AS /local-web-1/sdf

The container logs it says

Error:
   0: file not found: /run/sdf/jwt_signing_public_key.pem
Location:            
   <unknown>

I verified the container mount and saw that the mount exists

"Type": "bind",
                "Source": "/home/jgarr/.local/share/SI/jwt_signing_public_key.pem",
                "Destination": "/run/sdf/jwt_signing_public_key.pem",
                "Mode": "",
                "RW": true,
                "Propagation": "rprivate"

The file exists in my home directory but I realized this machine has selinux in enforcing mode

ls -Zl /home/jgarr/.local/share/SI/jwt_signing_public_key.pem
-rw-r--r--. 1 jgarr jgarr unconfined_u:object_r:data_home_t:s0 799 Aug 16 21:43 /home/jgarr/.local/share/SI/jwt_signing_public_key.pem

I set selinux to permissive and restarted the containers and it worked

How can we reproduce this?

Run si start on a system with selinux enabled.

Operating system

Linux

Architecture

x86_64 / amd64

What browsers are you seeing the problem on?

Chrome

Code of Conduct

I agree to follow this project's Code of Conduct

Additional context

I know the fix is to add :Z to the volume here

si/lib/si-cli/src/cmd/start.rs

Lines 387 to 389 in 7c15b74

    
           format!( 
        
               "{}:/run/sdf/jwt_signing_public_key.pem", 
        
               si_data_dir.join("jwt_signing_public_key.pem").display()

but I'm not at a computer with dev tools installed so I can PR it later.

	format!(
	"{}:/run/sdf/jwt_signing_public_key.pem",
	si_data_dir.join("jwt_signing_public_key.pem").display()