update selinux commands

selinux.md

@@ -27,3 +27,24 @@ apply change
 Relabeled /usr/bin/file from unconfined_u:object_r:bin_t:s0 to system_u:object_r:bin_t:s0
 # restorecon -R for recursive
 ```
+
+## Containers
+
+### volumes
+` :z `  shared content label  
+` :Z `  private unshared label  
+` :ro,z ` combine read only and SElinux label  
+
+### udica
+[git](https://github.com/containers/udica)  
+```
+$ podman inspect $(podman ps -f name=<container name> -q) > container.json
+# udica -j container.json  my_container
+```
+
+## denied access
+
+see recent denials
+```
+# ausearch -m avc -ts recent
+```