Bug type: Behavior bug (incorrect output/state without crash)

Summary

run-openclaw-podman.sh bind mounts are missing the SELinux :Z relabel option, causing EACCES: permission denied on Linux hosts with SELinux enforcing or permissive mode (e.g. Fedora, RHEL, CentOS Stream).

Steps to reproduce

1. Run setup-podman.sh on Fedora 43 (SELinux enforcing by default).
2. Run sudo -u openclaw /home/openclaw/run-openclaw-podman.sh launch setup.
3. The onboarding wizard immediately fails with a config permission error.

Expected behavior

The container can read and write its bind-mounted config and workspace directories.

Actual behavior

Failed to read config at /home/node/.openclaw/openclaw.json Error: EACCES: permission denied, open '/home/node/.openclaw/openclaw.json'
...
Config file is not readable by the current process. If running in a container
or 1-click deployment, fix ownership with:
  chown 1002 "/home/node/.openclaw/openclaw.json"
Then restart the gateway.

The error misleadingly suggests a uid ownership problem, but the actual cause is SELinux blocking the container from accessing the host bind-mounted directories — the file ownership is correct.

Root cause

run-openclaw-podman.sh mounts config and workspace as -v "$CONFIG_DIR:/home/node/.openclaw:rw" without the :Z SELinux relabel option. On hosts with SELinux enforcing or permissive, Podman containers cannot access bind-mounted host directories unless the mount is labelled with :Z (private relabel) or :z (shared relabel).

Note: docker-setup.sh already handles this correctly via OPENCLAW_BIND_MOUNT_OPTIONS=":Z" (added in ec817b4). run-openclaw-podman.sh was not updated with the same treatment.

Fix

Auto-detect SELinux mode via getenforce and append ,Z to bind mount options when enforcing or permissive. Also honour an explicit OPENCLAW_BIND_MOUNT_OPTIONS override for flexibility. Applied to both the gateway run and the onboard/setup run.

OpenClaw version: main (post ec817b4)

Operating system: Fedora 43 / Linux with SELinux enforcing (also affects RHEL, CentOS Stream, and any SELinux-enabled distro)

Install method: ./setup-podman.sh --quadlet + run-openclaw-podman.sh launch setup

Impact and severity

• Affected: all users running setup-podman.sh on SELinux-enabled distros (Fedora is the primary Linux desktop/server target for rootless Podman)
• Severity: high — blocks onboarding and gateway startup completely
• Frequency: 100% repro on Fedora/RHEL with default SELinux enforcing
• Consequence: gateway cannot start; config is unreadable; error message misleads user into thinking it is a uid ownership problem