add no-relabeling option to backupPVC configmap

[sseago]

Thank you for contributing to Velero!

Please add a summary of your change

The previous SELinux fix handled podified datamover problems for users who are not setting the readOnly field for their storageclass. When the readOnly field is set (needed for ceph shallow copy), SELinux relabeling can't happen, so datamover backup will fail. This fix adds the spc_t SELinux option in cases when users set this field in the backupPVC configmap. This should only be needed for storageclasses that are already setting readOnly=true, so a new map key won't be needed, just a new value in the struct.

{
    "backupPVC": {
        "storage-class-1": {
            "readOnly": true,
            "spcNoRelabeling": true
        }
    }
}

Does your change fix a particular issue?

Fixes #(issue)

Please indicate you've done the following:

• [x ] Accepted the DCO. Commits without the DCO will delay acceptance.
• [x ] Created a changelog file (make new-changelog) or comment /kind changelog-not-required on this PR.
• [x ] Updated the corresponding documentation in site/content/docs/main.

[codecov]

Codecov Report

Attention: Patch coverage is 20.00000% with 8 lines in your changes missing coverage. Please review.

Project coverage is 59.19%. Comparing base (b34e011) to head (b1035dd).
Report is 4 commits behind head on main.

Files with missing lines	Patch %	Lines
pkg/exposer/csi_snapshot.go	20.00%	6 Missing and 2 partials ⚠️

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #8288   +/-   ##
=======================================
  Coverage   59.18%   59.19%           
=======================================
  Files         367      367           
  Lines       30838    30850   +12     
=======================================
+ Hits        18253    18263   +10     
- Misses      11124    11125    +1     
- Partials     1461     1462    +1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[Lyndon-Li]

spcNoRelabeling is only required to set when backupPVCReadOnly=true. However, here we allow users to set it separately.
This would be a security risk strictly speaking, so would we change it to:

if backupPVCReadOnly == true {
     spcNoRelabeling = value.SPCNoRelabeling
}

[shubham-pampattiwar]

+1 sounds good, lets just document this behavior explicitly (i.e. SPCNoRelabeling key would be ignored if backupPVCReadOnly is not set to true.)

[sseago]

OK, I'll do that and update the doc as well.

[sseago]

@Lyndon-Li Slight modification to your suggestion -- if SPCNoRelabeling is true and backupPVCReadOnly is false, then we log a warning and ignore. Also, docs updated to make it clear that the no relabeling field is ignored if readOnly=false.

[shubham-pampattiwar]

/lgtm