docs: add SELinux/RHEL notice to container quick start

[aviavraham]

Summary

• Added callout notes to Quick Start sections in both README.md and CONTAINER.md warning RHEL/Fedora/SELinux users that the default commands will fail
• Points users to the existing "Podman Rootless Mode" section which documents the required flags (:z labels, --userns=keep-id, GIT_CONFIG_* env vars)

Context

Following the Quick Start container examples on a Fedora system with SELinux enforcing results in Permission denied and dubious ownership errors. The fix already exists in the Podman Rootless Mode section, but there's no indication in the Quick Start to look there — users hit a wall with no guidance.

Test plan

• Verify the Quick Start commands still render correctly in GitHub markdown
• Confirm the anchor link #podman-rootless-mode resolves correctly in CONTAINER.md
• Confirm the cross-file link CONTAINER.md#podman-rootless-mode resolves from README.md

🤖 Generated with Claude Code

Summary by CodeRabbit

• Documentation
  • Quick Start and container setup examples updated to include SELinux-compatible volume mount labels (use :Z where appropriate) so Podman bind mounts work on SELinux-enabled systems.
  • Guides still warn RHEL/Fedora/SELinux users about permission/ownership errors and point to Podman Rootless Mode for configuration and workarounds.

[coderabbitai]

📝 Walkthrough

Walkthrough

Quick Start container examples in CONTAINER.md and README.md now append SELinux relabeling :Z to Podman -v bind mounts (including :ro,Z for the repository mount) to make the commands SELinux-compatible.

Changes

Podman SELinux volume mounts

Layer / File(s)	Summary
Add :Z to podman -v mounts CONTAINER.md, README.md	Quick Start podman run examples updated: repository mount changed to -v ...:/repo:ro,Z and reports mount to -v ...:/reports:Z in both documentation files.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	Title follows Conventional Commits format (docs: ...) but describes adding a notice, whereas the actual change adds :Z flags directly to commands.	Update title to reflect the actual implementation: 'docs: add SELinux :Z volume flags to container quick start' to accurately match the committed changes.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

✨ Simplify code

• Create PR with simplified code

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[aegeiger]

Instead of this comment I'd suggest editing the command itself. -v /path/to/repo:/repo:ro,Z -v ~/agentready-reports:/reports:Z

[aviavraham]

@aegeiger Good point, just worth noting that the :z / :Z flags only apply when SELinux is enabled and enforcing, and are simply ignored on systems without it. That's actually the reason I suggested linking to the relevant documentation section, it gives users the context to decide whether these options apply to their environment and Linux OS setup.
Do you think it is a better solution than my suggestion?

[aegeiger]

@aviavraham on systems without SELinux this flag is silently ignored without harm, so IMHO we should advise everyone to run it. Tested on macOS.

[aviavraham]

Agree, I will update the MR

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@CONTAINER.md`:
- Around line 16-17: Several remaining Podman bind-mount examples in
CONTAINER.md still omit SELinux mount labels and can fail for SELinux-enforcing
users; update every occurrence of the Podman bind-mount examples (the lines
using "podman run -v ..." and the earlier sample mounts like "-v
/path/to/repo:/repo" or "-v ~/agentready-reports:/reports") to append the
appropriate SELinux label (:z or :Z) consistent with the Quick Start fix, or add
a short note next to each Podman example explaining to use :z/:Z for SELinux,
ensuring all Podman run -v examples are updated consistently.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Enterprise

Run ID: e305352d-41f0-4915-94ee-5fa73921c2ad

📥 Commits

Reviewing files that changed from the base of the PR and between e238d36 and ff6ac87.

📒 Files selected for processing (2)

• CONTAINER.md
• README.md

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Quick Start is fixed, but the same SELinux failure path still exists in other Podman examples.

Good change here. However, several later podman run -v ... examples in this same file still omit :z/:Z, so SELinux-enforcing users can still hit permission errors when following those sections. Please apply the same labeling strategy (or an explicit SELinux note) consistently across the remaining Podman bind-mount examples in CONTAINER.md to avoid repeated copy/paste failures.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@CONTAINER.md` around lines 16 - 17, Several remaining Podman bind-mount
examples in CONTAINER.md still omit SELinux mount labels and can fail for
SELinux-enforcing users; update every occurrence of the Podman bind-mount
examples (the lines using "podman run -v ..." and the earlier sample mounts like
"-v /path/to/repo:/repo" or "-v ~/agentready-reports:/reports") to append the
appropriate SELinux label (:z or :Z) consistent with the Quick Start fix, or add
a short note next to each Podman example explaining to use :z/:Z for SELinux,
ensuring all Podman run -v examples are updated consistently.

[github-actions]

📈 Test Coverage Report

Branch	Coverage
This PR	73.7%
Main	72.8%
Diff	✅ +0.9%

---

Coverage calculated from unit tests only

[jwm4]

Review by Bill Murdock (with assistance from Claude Code)

Verdict: Request changes

Good idea to make the Quick Start work out of the box on SELinux systems.

Inconsistent :z vs :Z casing

The PR adds uppercase :Z to the Quick Start examples, but the existing "Podman Rootless Mode" and "Troubleshooting: Permission denied" sections in CONTAINER.md use lowercase :z. The file also has a "Note on SELinux Labels" section explaining the difference between the two. Could you make sure the choice is intentional and consistent, or explain why the Quick Start should use a different variant than the rest of the file?

Other examples

Several other podman run -v examples in CONTAINER.md don't have either flag. Is there a reason the fix should be limited to Quick Start, or should it apply more broadly?