refactor: wire SELinux label_volumes into runtime volume handling

src/container_magic/core/runner.py

@@ -16,7 +16,12 @@
 from container_magic.core.runtime import Runtime, get_runtime
 from container_magic.core.symlinks import scan_workspace_symlinks
 from container_magic.core.templates import detect_shell, resolve_base_image, resolve_distro_shell
-from container_magic.core.volumes import VolumeContext, expand_mount_path, expand_volumes_for_run
+from container_magic.core.volumes import (
+    VolumeContext,
+    expand_mount_path,
+    expand_volumes_for_run,
+    label_volumes,
+)
 
 
 def _detect_container_home() -> str:
@@ -350,7 +355,8 @@ def run_container(
         workspace_container=f"{container_home}/{config.names.workspace}",
     )
     expanded_volumes = expand_volumes_for_run(config.runtime.volumes, volume_context)
-    for volume in expanded_volumes:
+    labelled_volumes = label_volumes(expanded_volumes)
+    for volume in labelled_volumes:
         run_args.extend(["-v", volume])
 
     # Device passthrough

src/container_magic/generators/run_script.py

@@ -7,7 +7,7 @@
 
 from container_magic.core.config import ContainerMagicConfig
 from container_magic.core.templates import detect_shell, resolve_base_image, resolve_distro_shell
-from container_magic.core.volumes import expand_volumes_for_script
+from container_magic.core.volumes import expand_volumes_for_script, label_volumes
 
 
 def generate_run_script(config: ContainerMagicConfig, project_dir: Path) -> None:
@@ -64,9 +64,10 @@ def generate_run_script(config: ContainerMagicConfig, project_dir: Path) -> None
         "aws_credentials": "aws_credentials" in runtime_features,
     }
 
-    # Expand volume variables for production context
+    # Expand volume variables and apply SELinux labels for production context
     raw_volumes = config.runtime.volumes if config.runtime else []
     expanded_volumes = expand_volumes_for_script(raw_volumes, workdir)
+    expanded_volumes = label_volumes(expanded_volumes)
 
     content = template.render(
         project_name=config.names.image,

tests/integration/test_config_variations.py

@@ -145,7 +145,9 @@ def test_config_regenerates_idempotently(config_fixture, fixtures_dir, temp_proj
         )
 
 
-def test_custom_commands_execute_successfully(fixtures_dir, temp_project, debian_base_image):
+def test_custom_commands_execute_successfully(
+    fixtures_dir, temp_project, debian_base_image
+):
     """Test that custom commands can actually execute in a container."""
     # Use the config with custom commands
     fixture_path = fixtures_dir / "with_custom_commands.yaml"
@@ -296,7 +298,9 @@ def test_direct_script_execution(fixtures_dir, temp_project, debian_base_image):
     assert "Direct execution works" in result.stdout
 
 
-def test_production_workspace_permissions(fixtures_dir, temp_project, debian_base_image):
+def test_production_workspace_permissions(
+    fixtures_dir, temp_project, debian_base_image
+):
     """Test that workspace is copied into production image with correct permissions."""
     # Use minimal config
     fixture_path = fixtures_dir / "minimal.yaml"
@@ -488,6 +492,6 @@ def test_volumes_and_devices_appear_in_generated_files(fixtures_dir, temp_projec
     assert result.returncode == 0, f"cm update failed:\n{result.stderr}"
 
     run_sh = (temp_project / "run.sh").read_text()
-    assert '"-v" "/tmp/test-data:/data:ro"' in run_sh
-    assert '"-v" "/var/log/app:/logs"' in run_sh
+    assert '"-v" "/tmp/test-data:/data:ro,z"' in run_sh
+    assert '"-v" "/var/log/app:/logs:z"' in run_sh
     assert '"--device" "/dev/ttyUSB0"' in run_sh