Skip to content

Commit bd1fe4d

Browse files
langdonsallyomclaude
authored
fix(run-openclaw-podman): add SELinux :Z mount option on enforcing/permissive hosts (#39449)
* fix(run-openclaw-podman): add SELinux :Z mount option on Linux with enforcing/permissive SELinux * fix(quadlet): add SELinux :Z label to openclaw.container.in volume mount * fix(podman): add SELinux :Z mount option for Fedora/RHEL hosts Co-Authored-By: Claude Opus 4.6 <[email protected]> Signed-off-by: sallyom <[email protected]> --------- Signed-off-by: sallyom <[email protected]> Co-authored-by: sallyom <[email protected]> Co-authored-by: Claude Opus 4.6 <[email protected]>
1 parent 3ea3a1c commit bd1fe4d

File tree

3 files changed

+22
-5
lines changed

3 files changed

+22
-5
lines changed

CHANGELOG.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -46,6 +46,7 @@ Docs: https://docs.openclaw.ai
4646
- Context engine registry/bundled builds: share the registry state through a `globalThis` singleton so duplicated bundled module copies can resolve engines registered by each other at runtime, with regression coverage for duplicate-module imports. (#40115) thanks @jalehman.
4747
- macOS/Tailscale gateway discovery: keep Tailscale Serve probing alive when other remote gateways are already discovered, prefer direct transport for resolved `.ts.net` and Tailscale Serve gateways, and set `TERM=dumb` for GUI-launched Tailscale CLI discovery. (#40167) thanks @ngutman.
4848
- Podman/setup: fix `cannot chdir: Permission denied` in `run_as_user` when `setup-podman.sh` is invoked from a directory the target user cannot access, by wrapping user-switch calls in a subshell that cd's to `/tmp` with `/` fallback. (#39435) Thanks @langdon and @jlcbk.
49+
- Podman/SELinux: auto-detect SELinux enforcing/permissive mode and add `:Z` relabel to bind mounts in `run-openclaw-podman.sh` and the Quadlet template, fixing `EACCES` on Fedora/RHEL hosts. Supports `OPENCLAW_BIND_MOUNT_OPTIONS` override. (#39449) Thanks @langdon and @githubbzxs.
4950

5051
## 2026.3.7
5152

scripts/podman/openclaw.container.in

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -11,7 +11,7 @@ ContainerName=openclaw
1111
UserNS=keep-id
1212
# Keep container UID/GID aligned with the invoking user so mounted config is readable.
1313
User=%U:%G
14-
Volume={{OPENCLAW_HOME}}/.openclaw:/home/node/.openclaw
14+
Volume={{OPENCLAW_HOME}}/.openclaw:/home/node/.openclaw:Z
1515
EnvironmentFile={{OPENCLAW_HOME}}/.openclaw/.env
1616
Environment=HOME=/home/node
1717
Environment=TERM=xterm-256color

scripts/run-openclaw-podman.sh

Lines changed: 20 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -183,14 +183,30 @@ fi
183183
ENV_FILE_ARGS=()
184184
[[ -f "$ENV_FILE" ]] && ENV_FILE_ARGS+=(--env-file "$ENV_FILE")
185185

186+
# On Linux with SELinux enforcing/permissive, add ,Z so Podman relabels the
187+
# bind-mounted directories and the container can access them.
188+
SELINUX_MOUNT_OPTS=""
189+
if [[ -z "${OPENCLAW_BIND_MOUNT_OPTIONS:-}" ]]; then
190+
if [[ "$(uname -s 2>/dev/null)" == "Linux" ]] && command -v getenforce >/dev/null 2>&1; then
191+
_selinux_mode="$(getenforce 2>/dev/null || true)"
192+
if [[ "$_selinux_mode" == "Enforcing" || "$_selinux_mode" == "Permissive" ]]; then
193+
SELINUX_MOUNT_OPTS=",Z"
194+
fi
195+
fi
196+
else
197+
# Honour explicit override (e.g. OPENCLAW_BIND_MOUNT_OPTIONS=":Z" → strip leading colon for inline use).
198+
SELINUX_MOUNT_OPTS="${OPENCLAW_BIND_MOUNT_OPTIONS#:}"
199+
[[ -n "$SELINUX_MOUNT_OPTS" ]] && SELINUX_MOUNT_OPTS=",$SELINUX_MOUNT_OPTS"
200+
fi
201+
186202
if [[ "$RUN_SETUP" == true ]]; then
187203
exec podman run --pull="$PODMAN_PULL" --rm -it \
188204
--init \
189205
"${USERNS_ARGS[@]}" "${RUN_USER_ARGS[@]}" \
190206
-e HOME=/home/node -e TERM=xterm-256color -e BROWSER=echo \
191207
-e OPENCLAW_GATEWAY_TOKEN="$OPENCLAW_GATEWAY_TOKEN" \
192-
-v "$CONFIG_DIR:/home/node/.openclaw:rw" \
193-
-v "$WORKSPACE_DIR:/home/node/.openclaw/workspace:rw" \
208+
-v "$CONFIG_DIR:/home/node/.openclaw:rw${SELINUX_MOUNT_OPTS}" \
209+
-v "$WORKSPACE_DIR:/home/node/.openclaw/workspace:rw${SELINUX_MOUNT_OPTS}" \
194210
"${ENV_FILE_ARGS[@]}" \
195211
"$OPENCLAW_IMAGE" \
196212
node dist/index.js onboard "$@"
@@ -203,8 +219,8 @@ podman run --pull="$PODMAN_PULL" -d --replace \
203219
-e HOME=/home/node -e TERM=xterm-256color \
204220
-e OPENCLAW_GATEWAY_TOKEN="$OPENCLAW_GATEWAY_TOKEN" \
205221
"${ENV_FILE_ARGS[@]}" \
206-
-v "$CONFIG_DIR:/home/node/.openclaw:rw" \
207-
-v "$WORKSPACE_DIR:/home/node/.openclaw/workspace:rw" \
222+
-v "$CONFIG_DIR:/home/node/.openclaw:rw${SELINUX_MOUNT_OPTS}" \
223+
-v "$WORKSPACE_DIR:/home/node/.openclaw/workspace:rw${SELINUX_MOUNT_OPTS}" \
208224
-p "${HOST_GATEWAY_PORT}:18789" \
209225
-p "${HOST_BRIDGE_PORT}:18790" \
210226
"$OPENCLAW_IMAGE" \

0 commit comments

Comments
 (0)