Unable to mount and relabel CIFS volume in rootless Podman container

(Crossposted in the Rocky subreddit here)
My setup:

  • Rocky 9.4 server with an administrator user (larry) and an unprivileged Podman user (podguy)
  • Podguy runs containers via systemd .container files
  • Container files are located in two directories in podguy’s home ~/containers/data for config files and generic data, and ~/data for bulk storage (movies, series, music, etc…)
  • The ~/data directory is mounted as a CIFS share, provided by a TrueNAS Scale machine on the same network
    If a container tries to start up with a volume mount from the ~/data directory, attempting to do so while relabeling the volume with :z or :Z will cause an error reading something like:
Error: lsetxattr [random file on the share]: operation not supported

and the container will not start. Removing the SELinux flag from the mount allows the container to start, but the mounted volumes will be inaccessible[1]. Outside of the container, as podguy, the files in the share are accessible normally.
This is how the share is mounted in /etc/fstab:

//[TrueNAS IP]/data /home/podguy/data cifs uid=[podguy uid],gid=[podguy gid],credentials=/home/larry/.smbcredentials 0 0

And this is one of the .container files mounting data from the share:

[Container]
Image=docker.io/jellyfin/jellyfin:10.9.9
ContainerName=jellyfin
HostName=jellyfin
UserNS=keep-id
AddDevice=/dev/dri/:/dev/dri/
Volume=/home/podguy/containers/data/jellyfin/config:/config:Z
Volume=/home/podguy/containers/data/jellyfin/cache:/cache:Z
Volume=/home/podguy/data/media/library/movies:/media/movies:z
Volume=/home/podguy/data/media/library/shows:/media/shows:z
Network=slirp4netns:port_handler=slirp4netns
PublishPort=8096:8096/tcp

[Install]
# Start by default on boot
WantedBy=multi-user.target default.target

System info:

NAME="Rocky Linux"
VERSION="9.4 (Blue Onyx)"
ID="rocky"
ID_LIKE="rhel centos fedora"
VERSION_ID="9.4"
PLATFORM_ID="platform:el9"
PRETTY_NAME="Rocky Linux 9.4 (Blue Onyx)"
ANSI_COLOR="0;32"
LOGO="fedora-logo-icon"
CPE_NAME="cpe:/o:rocky:rocky:9::baseos"
HOME_URL="https://rockylinux.org/"
BUG_REPORT_URL="https://bugs.rockylinux.org/"
SUPPORT_END="2032-05-31"
ROCKY_SUPPORT_PRODUCT="Rocky-Linux-9"
ROCKY_SUPPORT_PRODUCT_VERSION="9.4"
REDHAT_SUPPORT_PRODUCT="Rocky Linux"
REDHAT_SUPPORT_PRODUCT_VERSION="9.4"

Thanks for any help you may provide.

[1] Weirdly enough, while the Jellyfin logs say the mounts are inaccessible, the files themselves are “accessible” in the sense that video playback works, but often subtitles will be desynced, and newly added files will not appear in the library.